<!DOCTYPE html>
<html lang="en-US">
<head>
	
<style>.async-hide { opacity: 0 !important} </style> <script>(function(a,s,y,n,c,h,i,d,e){s.className+=' '+y;h.start=1*new Date; h.end=i=function(){s.className=s.className.replace(RegExp(' ?'+y),'')}; (a[n]=a[n]||[]).hide=h;setTimeout(function(){i();h.end=null},c);h.timeout=c; })(window,document.documentElement,'async-hide','dataLayer',4000, {'GTM-KC95766':true});</script>

<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-KC95766');</script>

    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <link rel="icon" type="image/png" href="https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/fav.png" />
     
    <noscript><img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=128260767783916&ev=PageView&noscript=1" /></noscript> 
     
	<meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' />

	
	<title>ELF Malware Analysis 101: Part 3 - Advanced Analysis</title>
	<meta name="description" content="Attackers have targeted the Linux OS aggressively in recent years. Practice dynamic ELF malware analysis hands-on." />
	<link rel="canonical" href="https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/" />
	<meta property="og:locale" content="en_US" />
	<meta property="og:type" content="article" />
	<meta property="og:description" content="Attackers have targeted the Linux OS aggressively in recent years. Practice dynamic ELF malware analysis hands-on." />
	<meta property="og:url" content="https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/" />
	<meta property="og:site_name" content="Intezer" />
	<meta property="article:publisher" content="https://www.facebook.com/IntezerLabs/" />
	<meta property="article:published_time" content="2021-02-17T10:36:33+00:00" />
	<meta property="article:modified_time" content="2021-12-07T16:03:18+00:00" />
	<meta property="og:image" content="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/06/shutterstock_282380951-1.jpg" />
	<meta property="og:image:width" content="1024" />
	<meta property="og:image:height" content="512" />
	<meta property="og:image:type" content="image/jpeg" />
	<meta name="twitter:card" content="summary_large_image" />
	<meta name="twitter:title" content="ELF Malware Analysis 101: Part 3 - Advanced Analysis" />
	<meta name="twitter:description" content="Practice dynamic ELF malware analysis hands-on." />
	<meta name="twitter:image" content="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/shutterstock_282380951-2.jpg" />
	<meta name="twitter:creator" content="@IntezerLabs" />
	<meta name="twitter:site" content="@IntezerLabs" />
	<meta name="twitter:label1" content="Written by" />
	<meta name="twitter:data1" content="Avigayil Mechtinger" />
	<meta name="twitter:label2" content="Est. reading time" />
	<meta name="twitter:data2" content="24 minutes" />
	<script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://www.intezer.com/#organization","name":"Intezer","url":"https://www.intezer.com/","sameAs":["https://www.facebook.com/IntezerLabs/","https://www.linkedin.com/company/intezer-labs/","https://www.youtube.com/channel/UCt5L5ztHh-C1NCKa6bKjXFQ","https://twitter.com/IntezerLabs"],"logo":{"@type":"ImageObject","@id":"https://www.intezer.com/#logo","inLanguage":"en-US","url":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1.png","contentUrl":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1.png","width":512,"height":512,"caption":"Intezer"},"image":{"@id":"https://www.intezer.com/#logo"}},{"@type":"WebSite","@id":"https://www.intezer.com/#website","url":"https://www.intezer.com/","name":"Intezer","description":"","publisher":{"@id":"https://www.intezer.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://www.intezer.com/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/#primaryimage","inLanguage":"en-US","url":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/shutterstock_282380951-2.jpg","contentUrl":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/shutterstock_282380951-2.jpg","width":1024,"height":512},{"@type":"WebPage","@id":"https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/#webpage","url":"https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/","name":"ELF Malware Analysis 101: Part 3 - Advanced Analysis","isPartOf":{"@id":"https://www.intezer.com/#website"},"primaryImageOfPage":{"@id":"https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/#primaryimage"},"datePublished":"2021-02-17T10:36:33+00:00","dateModified":"2021-12-07T16:03:18+00:00","description":"Attackers have targeted the Linux OS aggressively in recent years. Practice dynamic ELF malware analysis hands-on.","breadcrumb":{"@id":"https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/"]}]},{"@type":"BreadcrumbList","@id":"https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.intezer.com/"},{"@type":"ListItem","position":2,"name":"ELF Malware Analysis 101: Part 3 &#8211; Advanced Analysis"}]},{"@type":"Article","@id":"https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/#article","isPartOf":{"@id":"https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/#webpage"},"author":{"@id":"https://www.intezer.com/#/schema/person/dcebd6e0f0881db68c1b2aad57a7f766"},"headline":"ELF Malware Analysis 101: Part 3 &#8211; Advanced Analysis","datePublished":"2021-02-17T10:36:33+00:00","dateModified":"2021-12-07T16:03:18+00:00","mainEntityOfPage":{"@id":"https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/#webpage"},"wordCount":4203,"publisher":{"@id":"https://www.intezer.com/#organization"},"image":{"@id":"https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/#primaryimage"},"thumbnailUrl":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/06/shutterstock_282380951-1.jpg","keywords":["DFIR","Dynamic Analysis","ELF Malware","Linux","malware","Malware Analysis"],"articleSection":["Malware Analysis"],"inLanguage":"en-US"},{"@type":"Person","@id":"https://www.intezer.com/#/schema/person/dcebd6e0f0881db68c1b2aad57a7f766","name":"Avigayil Mechtinger","image":{"@type":"ImageObject","@id":"https://www.intezer.com/#personlogo","inLanguage":"en-US","url":"https://secure.gravatar.com/avatar/a58fa1c7c5adf29f1d0e392b4d1e7212?s=96&d=mm&r=g","contentUrl":"https://secure.gravatar.com/avatar/a58fa1c7c5adf29f1d0e392b4d1e7212?s=96&d=mm&r=g","caption":"Avigayil Mechtinger"},"url":"https://www.intezer.com/author/avigayil/"}]}</script>
	


<link rel='dns-prefetch' href='//static.addtoany.com' />
<link rel='dns-prefetch' href='//js.hs-scripts.com' />
<link rel='dns-prefetch' href='//www.google.com' />
<link rel='dns-prefetch' href='//c0.wp.com' />
<link href='https://fonts.gstatic.com' crossorigin rel='preconnect' />
<link rel="alternate" type="application/rss+xml" title="Intezer &raquo; Feed" href="https://www.intezer.com/feed/" />
<link rel='stylesheet' id='wp-block-library-css'  href='https://c0.wp.com/c/5.9.3/wp-includes/css/dist/block-library/style.min.css' media='all' />
<style id='wp-block-library-inline-css' type='text/css'>
.has-text-align-justify{text-align:justify;}
</style>
<link rel='stylesheet' id='prismatic-blocks-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/prismatic/css/styles-blocks.css?ver=69620a8ea322898ee44dac014d43fe0a' media='all' />
<link rel='stylesheet' id='mediaelement-css'  href='https://c0.wp.com/c/5.9.3/wp-includes/js/mediaelement/mediaelementplayer-legacy.min.css' media='all' />
<link rel='stylesheet' id='wp-mediaelement-css'  href='https://c0.wp.com/c/5.9.3/wp-includes/js/mediaelement/wp-mediaelement.min.css' media='all' />
<style id='global-styles-inline-css' type='text/css'>
body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--duotone--dark-grayscale: url('#wp-duotone-dark-grayscale');--wp--preset--duotone--grayscale: url('#wp-duotone-grayscale');--wp--preset--duotone--purple-yellow: url('#wp-duotone-purple-yellow');--wp--preset--duotone--blue-red: url('#wp-duotone-blue-red');--wp--preset--duotone--midnight: url('#wp-duotone-midnight');--wp--preset--duotone--magenta-yellow: url('#wp-duotone-magenta-yellow');--wp--preset--duotone--purple-green: url('#wp-duotone-purple-green');--wp--preset--duotone--blue-orange: url('#wp-duotone-blue-orange');--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;}
</style>
<link rel='stylesheet' id='contact-form-7-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.5.6' media='all' />
<link rel='stylesheet' id='prismatic-highlight-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/prismatic/lib/highlight/css/default.css?ver=3.0' media='all' />
<link rel='stylesheet' id='bootstrap_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/css/bootstrap.css?ver=69620a8ea322898ee44dac014d43fe0a' media='all' />
<link rel='stylesheet' id='fontawesome_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/css/font-awesome.min.css?ver=69620a8ea322898ee44dac014d43fe0a' media='all' />
<link rel='stylesheet' id='main_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/style.css?ver=1650349359' media='all' />
<link rel='stylesheet' id='wpdreams-asl-basic-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/css/style.basic.css?ver=4.9.5' media='all' />
<link rel='stylesheet' id='wpdreams-ajaxsearchlite-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/css/style-curvy-blue.css?ver=4.9.5' media='all' />
<link rel='stylesheet' id='slb_core-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/simple-lightbox/client/css/app.css?ver=2.8.1' media='all' />
<link rel='stylesheet' id='addtoany-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/add-to-any/addtoany.min.css?ver=1.16' media='all' />
<link rel='stylesheet' id='cf7cf-style-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/cf7-conditional-fields/style.css?ver=2.1.2' media='all' />
<link   rel='preload' as='style' data-wpacu-preload-it-async='1' onload="this.onload=null;this.rel='stylesheet'" id='wpacu-preload-jetpack_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/jetpack/css/jetpack.css?ver=10.9-a.5' media='all' />






<link rel="https://api.w.org/" href="https://www.intezer.com/wp-json/" /><link rel="alternate" type="application/json" href="https://www.intezer.com/wp-json/wp/v2/posts/16712" />			
			
			
						
		<style type='text/css'>img#wpstats{display:none}</style>
					<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin />
				<link rel="preload" as="style" href="//fonts.googleapis.com/css?family=Open+Sans&display=swap" />
				<link rel="stylesheet" href="//fonts.googleapis.com/css?family=Open+Sans&display=swap" media="all" />
							<style type="text/css">
				/* If html does not have either class, do not show lazy loaded images. */
				html:not( .jetpack-lazy-images-js-enabled ):not( .js ) .jetpack-lazy-image {
					display: none;
				}
			</style>
			
		                <style>
                    
					@font-face {
						font-family: 'aslsicons2';
						src: url('https://www.intezer.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.eot');
						src: url('https://www.intezer.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.eot?#iefix') format('embedded-opentype'),
							 url('https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.woff2') format('woff2'),
							 url('https://www.intezer.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.woff') format('woff'),
							 url('https://www.intezer.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.ttf') format('truetype'),
							 url('https://www.intezer.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.svg#icons') format('svg');
						font-weight: normal;
						font-style: normal;
					 font-display:swap;}
					div[id*='ajaxsearchlitesettings'].searchsettings .asl_option_inner label {
						font-size: 0px !important;
						color: rgba(0, 0, 0, 0);
					}
					div[id*='ajaxsearchlitesettings'].searchsettings .asl_option_inner label:after {
						font-size: 11px !important;
						position: absolute;
						top: 0;
						left: 0;
						z-index: 1;
					}
					div[id*='ajaxsearchlite'].wpdreams_asl_container {
						width: 100%;
						margin: 0px 0px 14px 0px;
					}
					div[id*='ajaxsearchliteres'].wpdreams_asl_results div.resdrg span.highlighted {
						font-weight: bold;
						color: rgba(48, 138, 255, 1);
						background-color: rgb(255, 255, 255);
					}
					div[id*='ajaxsearchliteres'].wpdreams_asl_results .results div.asl_image {
						width: 84px;
						height: 60px;
						background-size: cover;
						background-repeat: no-repeat;
					}
					div.asl_r .results {
						max-height: none;
					}
				
						.asl_m .probox svg {
							fill: rgba(204, 216, 228, 1) !important;
						}
						.asl_m .probox .innericon {
							background-color: rgba(255, 255, 255, 1) !important;
							background-image: none !important;
							-webkit-background-image: none !important;
							-ms-background-image: none !important;
						}
					
						div.asl_m.asl_w {
							border:1px solid rgba(48, 138, 255, 1) !important;border-radius:7px 7px 7px 7px !important;
							box-shadow: none !important;
						}
						div.asl_m.asl_w .probox {border: none !important;}
					
						div.asl_r.asl_w.vertical .results .item::after {
							display: block;
							position: absolute;
							bottom: 0;
							content: '';
							height: 1px;
							width: 100%;
							background: #D8D8D8;
						}
						div.asl_r.asl_w.vertical .results .item.asl_last_item::after {
							display: none;
						}
					 div.asl_m.asl_w {
    margin: auto;
    max-width: 820px;
}
div.asl_w .probox .promagnifier {
    order: 1;
}
div.asl_r .results .item .asl_content h3, div.asl_r .results .item .asl_content h3 a {
    font-weight: 600;
    color: #233b52;
}

div.asl_r .results .item .asl_content h3 a:hover {
    font-weight: 600;
    color: #233b52;
}

.wpdreams_asl_results .results div.asl_image {
    border-radius: 7px;
}

p.asl_desc {
    color: #849eb5;
}
span.asl_nores_header {
    font-size: 14px;
}                </style>
                			
            <link rel="icon" href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-32x32.png" sizes="32x32" />
<link rel="icon" href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-192x192.png" sizes="192x192" />
<link rel="apple-touch-icon" href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-180x180.png" />
<meta name="msapplication-TileImage" content="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-270x270.png" />
<link rel="stylesheet" type="text/css" id="wp-custom-css" href="https://www.intezer.com/?custom-css=79c8f516d6" />



</head>

<body class="post-template-default single single-post postid-16712 single-format-standard wp-custom-logo elf-malware-analysis-101-part-3-advanced-analysis elementor-default elementor-kit-8921">
<script> !function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function(){n.callMethod? n.callMethod.apply(n,arguments):n.queue.push(arguments)};if(!f._fbq)f._fbq=n; n.push=n;n.loaded=!0;n.version='2.0';n.queue=[];t=b.createElement(e);t.async=!0; t.src=v;s=b.getElementsByTagName(e)[0];s.parentNode.insertBefore(t,s)}(window, document,'script','https://connect.facebook.net/en_US/fbevents.js'); fbq('init', '128260767783916'); // Insert your pixel ID here. fbq('track', 'PageView'); </script>
<script type='text/javascript' id='media-video-jwt-bridge-js-extra'>
/* <![CDATA[ */
var videopressAjax = {"ajaxUrl":"https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php","bridgeUrl":"https:\/\/www.intezer.com\/wp-content\/plugins\/jetpack\/modules\/videopress\/js\/videopress-token-bridge.js"};
/* ]]> */
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/jetpack/modules/videopress/js/videopress-token-bridge.js?ver=6' id='media-video-jwt-bridge-js'></script>
<script   type='text/javascript' id='addtoany-core-js-before'>
window.a2a_config=window.a2a_config||{};a2a_config.callbacks=[];a2a_config.overlays=[];a2a_config.templates={};
</script>
<script   type='text/javascript' async src='https://static.addtoany.com/menu/page.js' id='addtoany-core-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/jquery-3.2.1.min.js?ver=69620a8ea322898ee44dac014d43fe0a' id='jquery-js'></script>
<script   data-wpacu-apply-media-query='screen and (min-width: 1024px)' type='text/javascript' async wpacu-addtoany-jquery-src='https://149520725.v2.pressablecdn.com/wp-content/plugins/add-to-any/addtoany.min.js?ver=1.1' id='addtoany-jquery-js'></script>
<script>
function wpacu_addtoany_jquery_match_media(wpacu_addtoany_jquery_match_media_var) {
    if (wpacu_addtoany_jquery_match_media_var.matches) {
        var wpacuSrcAttr = document.querySelectorAll("[wpacu-addtoany-jquery-src]")[0].getAttribute('wpacu-addtoany-jquery-src');
        document.querySelectorAll("[wpacu-addtoany-jquery-src]")[0].setAttribute('src', wpacuSrcAttr); 
    }
}
try { var wpacu_addtoany_jquery_match_media_var = window.matchMedia("screen and (min-width: 1024px)"); wpacu_addtoany_jquery_match_media(wpacu_addtoany_jquery_match_media_var); wpacu_addtoany_jquery_match_media_var.addListener(wpacu_addtoany_jquery_match_media); }
catch (wpacuError) {
  	var wpacuHrefAttr = document.querySelectorAll("[wpacu-addtoany-jquery-src]")[0].getAttribute('wpacu-addtoany-jquery-src');
    document.querySelectorAll("[wpacu-addtoany-jquery-src]")[0].setAttribute('href', wpacuHrefAttr); 
}
</script>
<script type="text/javascript">
				var _hsq = _hsq || [];
				_hsq.push(["setContentType", "blog-post"]);
			</script>
<script>
				(function() {
					var hbspt = window.hbspt = window.hbspt || {};
					hbspt.forms = hbspt.forms || {};
					hbspt._wpFormsQueue = [];
					hbspt.enqueueForm = function(formDef) {
						if (hbspt.forms && hbspt.forms.create) {
							hbspt.forms.create(formDef);
						} else {
							hbspt._wpFormsQueue.push(formDef);
						}
					};
					if (!window.hbspt.forms.create) {
						Object.defineProperty(window.hbspt.forms, 'create', {
							configurable: true,
							get: function() {
								return hbspt._wpCreateForm;
							},
							set: function(value) {
								hbspt._wpCreateForm = value;
								while (hbspt._wpFormsQueue.length) {
									var formDef = hbspt._wpFormsQueue.shift();
									if (!document.currentScript) {
										var formScriptId = 'leadin-forms-v2-js';
										hubspot.utils.currentScript = document.getElementById(formScriptId);
									}
									hbspt._wpCreateForm.call(hbspt.forms, formDef);
								}
							},
						});
					}
				})();
			</script>
<script>
				document.documentElement.classList.add(
					'jetpack-lazy-images-js-enabled'
				);
			</script>
<script type="text/javascript">
                if ( typeof _ASL !== "undefined" && _ASL !== null && typeof _ASL.initialize !== "undefined" ) {
					_ASL.initialize();
				}
            </script>
<script id="wpacu-preload-async-css-fallback">
/*! LoadCSS. [c]2020 Filament Group, Inc. MIT License */
/* This file is meant as a standalone workflow for
- testing support for link[rel=preload]
- enabling async CSS loading in browsers that do not support rel=preload
- applying rel preload css once loaded, whether supported or not.
*/
(function(w){"use strict";var wpacuLoadCSS=function(href,before,media,attributes){var doc=w.document;var ss=doc.createElement('link');var ref;if(before){ref=before}else{var refs=(doc.body||doc.getElementsByTagName('head')[0]).childNodes;ref=refs[refs.length-1]}
var sheets=doc.styleSheets;if(attributes){for(var attributeName in attributes){if(attributes.hasOwnProperty(attributeName)){ss.setAttribute(attributeName,attributes[attributeName])}}}
ss.rel="stylesheet";ss.href=href;ss.media="only x";function ready(cb){if(doc.body){return cb()}
setTimeout(function(){ready(cb)})}
ready(function(){ref.parentNode.insertBefore(ss,(before?ref:ref.nextSibling))});var onwpaculoadcssdefined=function(cb){var resolvedHref=ss.href;var i=sheets.length;while(i--){if(sheets[i].href===resolvedHref){return cb()}}
setTimeout(function(){onwpaculoadcssdefined(cb)})};function loadCB(){if(ss.addEventListener){ss.removeEventListener("load",loadCB)}
ss.media=media||"all"}
if(ss.addEventListener){ss.addEventListener("load",loadCB)}
ss.onwpaculoadcssdefined=onwpaculoadcssdefined;onwpaculoadcssdefined(loadCB);return ss};if(typeof exports!=="undefined"){exports.wpacuLoadCSS=wpacuLoadCSS}else{w.wpacuLoadCSS=wpacuLoadCSS}}(typeof global!=="undefined"?global:this))
</script>
<script async src="https://www.googletagmanager.com/gtag/js?id=AW-725468766"></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'AW-725468766');
</script>


<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-KC95766"
height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>

    <div class="background-pop"></div>
    <header id="header">
        <nav class="navbar navbar-toggleable-sm navbar-inverse bg-faded fixed-top" id="main-menu">
                <button class="navbar-toggler navbar-toggler-right" type="button" data-toggle="collapse"
                        data-target="#top-navbar" aria-controls="top-navbar" aria-expanded="false"
                        aria-label="Toggle navigation">
                    <span class="navbar-toggler-icon"></span>
                </button>
                <a class="navbar-brand" href="https://www.intezer.com/">
                    <a class="logo-link" href="https://www.intezer.com"><img class="logo-img" width="100" height="25" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/intezer-logo-n.png" alt="intezer"></a>                </a>
                <div class="collapse navbar-collapse" id="top-navbar">
                    <ul id="menu-top-menu" class="navbar-nav ml-auto"><li id="menu-item-13604" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-13604 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-analyze/">Product</a></li>
<li id="menu-item-131" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-131 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Learn </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-15962" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor menu-item-15962 nav-item"><a class="nav-link" href="https://www.intezer.com/blog/">Blog</a></li>
	<li id="menu-item-1368" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1368 nav-item"><a class="nav-link" href="https://www.intezer.com/resources/">Resources</a></li>
	<li id="menu-item-15894" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-15894 nav-item"><a class="nav-link" target="_blank" href="https://support.intezer.com/hc/en-us">Docs &#038; API</a></li>
</ul>
</li>
<li id="menu-item-20994" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-20994 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Company </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-70" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-70 nav-item"><a class="nav-link" href="https://www.intezer.com/about/">About</a></li>
	<li id="menu-item-114" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-114 nav-item"><a class="nav-link" href="https://www.intezer.com/contact-us/">Contact Us</a></li>
	<li id="menu-item-3061" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-3061 nav-item"><a class="nav-link" href="https://www.intezer.com/partners/">Partners</a></li>
	<li id="menu-item-7096" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7096 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-news/">News</a></li>
	<li id="menu-item-8417" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-8417 nav-item"><a class="nav-link" href="https://www.intezer.com/careers/">Careers</a></li>
</ul>
</li>
<li id="menu-item-24859" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-24859 nav-item"><a class="nav-link" href="https://www.intezer.com/pricing/">Pricing</a></li>
<li id="menu-item-22200" class="desktop-login menu-item menu-item-type-custom menu-item-object-custom menu-item-22200 nav-item"><a class="nav-link" target="_blank" href="https://analyze.intezer.com/sign-in/?utm_campaign=login-btn&#038;utm_source=intezer">Log in</a></li>
<li id="menu-item-1028" class="try-now desktop-cta menu-item menu-item-type-custom menu-item-object-custom menu-item-1028 nav-item"><a class="nav-link" target="_blank" href="https://analyze.intezer.com/"><span class="glyphicon Try it Now"></span>&nbsp;Sign up</a></li>
<li id="menu-item-5106" class="try-now mobile-cta menu-item menu-item-type-custom menu-item-object-custom menu-item-5106 nav-item"><a class="nav-link" target="_blank" href="https://analyze.intezer.com/"><span class="glyphicon Try our free Community Edition"></span>&nbsp;Sign up</a></li>
</ul>                  
                </div>

        </nav>
 		<section data-elementor-type="section" data-elementor-id="16929" class="elementor elementor-16929">
					<div class="elementor-section-wrap">
								<section class="elementor-section elementor-top-section elementor-element elementor-element-d8295c2 elementor-hidden-tablet elementor-hidden-mobile elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="d8295c2" data-element_type="section" id="analyze-pop" data-settings="{&quot;background_background&quot;:&quot;classic&quot;}">
						<div class="elementor-container elementor-column-gap-wide">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-1195e9a" data-id="1195e9a" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<section class="elementor-section elementor-inner-section elementor-element elementor-element-a9b9c3b elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="a9b9c3b" data-element_type="section">
						<div class="elementor-container elementor-column-gap-no">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-ebed2f0" data-id="ebed2f0" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-dd715e2 elementor-widget elementor-widget-image" data-id="dd715e2" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
			<style>/*! elementor - v3.6.3 - 12-04-2022 */
.elementor-widget-image{text-align:center}.elementor-widget-image a{display:inline-block}.elementor-widget-image a img[src$=".svg"]{width:48px}.elementor-widget-image img{vertical-align:middle;display:inline-block}</style>					<div class="elementor-image">
													<a href="https://www.intezer.com/intezer-analyze/">
							<img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/thumbs/logo-analize-logo-trans-ozsmvqchu4xq3efimwjdhr1x8rgjihbqxejnle9j9u.png" title="logo-analize-logo-trans" alt="Intezer Analyze" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-43be782 elementor-widget elementor-widget-heading" data-id="43be782" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<style>/*! elementor - v3.6.3 - 12-04-2022 */
.elementor-heading-title{padding:0;margin:0;line-height:1}.elementor-widget-heading .elementor-heading-title[class*=elementor-size-]>a{color:inherit;font-size:inherit;line-height:inherit}.elementor-widget-heading .elementor-heading-title.elementor-size-small{font-size:15px}.elementor-widget-heading .elementor-heading-title.elementor-size-medium{font-size:19px}.elementor-widget-heading .elementor-heading-title.elementor-size-large{font-size:29px}.elementor-widget-heading .elementor-heading-title.elementor-size-xl{font-size:39px}.elementor-widget-heading .elementor-heading-title.elementor-size-xxl{font-size:59px}</style><div class="elementor-heading-title elementor-size-default"><b>Autonomous security operations</b><br>Focus your SecOps on unique and real incidents instead of repetitive threats and false positives.</div>		</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-c353d36" data-id="c353d36" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-7706e29 museo500 elementor-widget elementor-widget-heading" data-id="7706e29" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<h2 class="elementor-heading-title elementor-size-default">Top Industries</h2>		</div>
				</div>
				<div class="elementor-element elementor-element-42b2532 pop-list star-list elementor-widget elementor-widget-text-editor" data-id="42b2532" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
			<style>/*! elementor - v3.6.3 - 12-04-2022 */
.elementor-widget-text-editor.elementor-drop-cap-view-stacked .elementor-drop-cap{background-color:#818a91;color:#fff}.elementor-widget-text-editor.elementor-drop-cap-view-framed .elementor-drop-cap{color:#818a91;border:3px solid;background-color:transparent}.elementor-widget-text-editor:not(.elementor-drop-cap-view-default) .elementor-drop-cap{margin-top:8px}.elementor-widget-text-editor:not(.elementor-drop-cap-view-default) .elementor-drop-cap-letter{width:1em;height:1em}.elementor-widget-text-editor .elementor-drop-cap{float:left;text-align:center;line-height:1;font-size:50px}.elementor-widget-text-editor .elementor-drop-cap-letter{display:inline-block}</style>					<div class="elementor-text-editor elementor-clearfix">
				<ul><li>Finance</li><li>Manufacturing</li><li>Telecom</li><li>Government</li><li>Retail</li><li>Energy</li></ul>					</div>
						</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
				<section class="elementor-section elementor-inner-section elementor-element elementor-element-59d8717 elementor-section-content-bottom elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="59d8717" data-element_type="section">
						<div class="elementor-container elementor-column-gap-no">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-d1caad7" data-id="d1caad7" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-8616ac1 elementor-align-left elementor-mobile-align-center elementor-widget elementor-widget-button" data-id="8616ac1" data-element_type="widget" id="pop-link" data-widget_type="button.default">
				<div class="elementor-widget-container">
					<div class="elementor-button-wrapper">
			<a href="https://www.intezer.com/intezer-analyze/" class="elementor-button-link elementor-button elementor-size-sm" role="button">
						<span class="elementor-button-content-wrapper">
						<span class="elementor-button-text">Learn More</span>
		</span>
					</a>
		</div>
				</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-565e380" data-id="565e380" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-d956561 elementor-align-left elementor-mobile-align-center main-menu-button elementor-widget elementor-widget-button" data-id="d956561" data-element_type="widget" data-widget_type="button.default">
				<div class="elementor-widget-container">
					<div class="elementor-button-wrapper">
			<a href="https://www.intezer.com/book-a-demo-analyze/" target="_blank" class="elementor-button-link elementor-button elementor-size-xs" role="button" id="get-started-analyze">
						<span class="elementor-button-content-wrapper">
						<span class="elementor-button-text">Get a Demo</span>
		</span>
					</a>
		</div>
				</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
							</div>
				</section>
		    </header>
<div class="popup"><div role="form" class="wpcf7" id="wpcf7-f468-o1" lang="en-US" dir="ltr">
<div class="screen-reader-response"><p role="status" aria-live="polite" aria-atomic="true"></p> <ul></ul></div>
<form action="/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/#wpcf7-f468-o1" method="post" class="wpcf7-form init clearfix" novalidate="novalidate" data-status="init" id="request-demo-form">
<div style="display: none;">
<input type="hidden" name="_wpcf7" value="468" />
<input type="hidden" name="_wpcf7_version" value="5.5.6" />
<input type="hidden" name="_wpcf7_locale" value="en_US" />
<input type="hidden" name="_wpcf7_unit_tag" value="wpcf7-f468-o1" />
<input type="hidden" name="_wpcf7_container_post" value="0" />
<input type="hidden" name="_wpcf7_posted_data_hash" value="" />
<input type="hidden" name="_wpcf7cf_hidden_group_fields" value="" />
<input type="hidden" name="_wpcf7cf_hidden_groups" value="" />
<input type="hidden" name="_wpcf7cf_visible_groups" value="" />
<input type="hidden" name="_wpcf7cf_repeaters" value="[]" />
<input type="hidden" name="_wpcf7cf_steps" value="{}" />
<input type="hidden" name="_wpcf7cf_options" value="{&quot;form_id&quot;:468,&quot;conditions&quot;:[{&quot;then_field&quot;:&quot;group-570&quot;,&quot;and_rules&quot;:[{&quot;if_field&quot;:&quot;mx_Country&quot;,&quot;operator&quot;:&quot;equals&quot;,&quot;if_value&quot;:&quot;United States&quot;}]}],&quot;settings&quot;:{&quot;animation&quot;:&quot;yes&quot;,&quot;animation_intime&quot;:200,&quot;animation_outtime&quot;:200,&quot;conditions_ui&quot;:&quot;normal&quot;,&quot;notice_dismissed&quot;:false,&quot;notice_dismissed_rollback-cf7-5.5.3&quot;:true,&quot;notice_dismissed_rollback-cf7-5.5.4&quot;:true}}" />
<input type="hidden" name="_wpcf7_recaptcha_response" value="" />
</div>
<div class="form-header"></div>
<div class="cf-field cf-field-left cf-fname">
<span class="cf-label">First Name</span><br />
<span class="wpcf7-form-control-wrap FirstName"><input type="text" name="FirstName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required fname w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-lname">
<span class="cf-label">Last Name</span><br />
<span class="wpcf7-form-control-wrap LastName"><input type="text" name="LastName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-field-left cf-title">
<span class="cf-label">Job Title</span><br />
<span class="wpcf7-form-control-wrap JobTitle"><input type="text" name="JobTitle" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-company">
<span class="cf-label">Company</span><br />
<span class="wpcf7-form-control-wrap Company"><input type="text" name="Company" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required company" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-field-left">
<span class="cf-label">Email</span><br />
<span class="wpcf7-form-control-wrap EmailAddress"><input type="email" name="EmailAddress" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-email wpcf7-validates-as-required wpcf7-validates-as-email email" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field">
<span class="cf-label">Country</span><br />
<span class="wpcf7-form-control-wrap mx_Country"><select name="mx_Country" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value=""></option><option value="United States">United States</option><option value="Canada">Canada</option><option value="Afghanistan">Afghanistan</option><option value="Albania">Albania</option><option value="Algeria">Algeria</option><option value="Andorra">Andorra</option><option value="Angola">Angola</option><option value="Antigua and Barbuda">Antigua and Barbuda</option><option value="Argentina">Argentina</option><option value="Armenia">Armenia</option><option value="Aruba">Aruba</option><option value="Australia">Australia</option><option value="Austria">Austria</option><option value="Azerbaijan">Azerbaijan</option><option value="Bahamas">Bahamas</option><option value="Bahrain">Bahrain</option><option value="Bangladesh">Bangladesh</option><option value="Barbados">Barbados</option><option value="Belarus">Belarus</option><option value="Belgium">Belgium</option><option value="Belize">Belize</option><option value="Benin">Benin</option><option value="Bermuda">Bermuda</option><option value="Bhutan">Bhutan</option><option value="Bolivia">Bolivia</option><option value="Bosnia and Herzegovina">Bosnia and Herzegovina</option><option value="Botswana">Botswana</option><option value="Brazil">Brazil</option><option value="Brunei">Brunei</option><option value="Bulgaria">Bulgaria</option><option value="Burkina Faso">Burkina Faso</option><option value="Burundi">Burundi</option><option value="Cambodia">Cambodia</option><option value="Cameroon">Cameroon</option><option value="Cape Verde">Cape Verde</option><option value="Cayman Islands">Cayman Islands</option><option value="Central African Republic">Central African Republic</option><option value="Chad">Chad</option><option value="Chile">Chile</option><option value="China">China</option><option value="Colombia">Colombia</option><option value="Comoros">Comoros</option><option value="Democratic Republic of the Congo (Kinshasa)">Democratic Republic of the Congo (Kinshasa)</option><option value="Congo, Republic of(Brazzaville)">Congo, Republic of(Brazzaville)</option><option value="Costa Rica">Costa Rica</option><option value="Croatia">Croatia</option><option value="Cuba">Cuba</option><option value="Cyprus">Cyprus</option><option value="Czechia">Czechia</option><option value="Denmark">Denmark</option><option value="Djibouti">Djibouti</option><option value="Dominica">Dominica</option><option value="Dominican Republic">Dominican Republic</option><option value="East Timor (Timor-Leste)">East Timor (Timor-Leste)</option><option value="Ecuador">Ecuador</option><option value="Egypt">Egypt</option><option value="El Salvador">El Salvador</option><option value="Equatorial Guinea">Equatorial Guinea</option><option value="Eritrea">Eritrea</option><option value="Estonia">Estonia</option><option value="Ethiopia">Ethiopia</option><option value="Fiji">Fiji</option><option value="Finland">Finland</option><option value="France">France</option><option value="Gabon">Gabon</option><option value="Gambia">Gambia</option><option value="Georgia">Georgia</option><option value="Germany">Germany</option><option value="Ghana">Ghana</option><option value="Gibraltar">Gibraltar</option><option value="Greece">Greece</option><option value="Grenada">Grenada</option><option value="Guatemala">Guatemala</option><option value="Guinea">Guinea</option><option value="Guinea-Bissau">Guinea-Bissau</option><option value="Guyana">Guyana</option><option value="Haiti">Haiti</option><option value="Honduras">Honduras</option><option value="Hong Kong">Hong Kong</option><option value="Hungary">Hungary</option><option value="Iceland">Iceland</option><option value="India">India</option><option value="Indonesia">Indonesia</option><option value="Iran, Islamic Republic of">Iran, Islamic Republic of</option><option value="Iraq">Iraq</option><option value="Ireland">Ireland</option><option value="Israel">Israel</option><option value="Italy">Italy</option><option value="Ivory Coast">Ivory Coast</option><option value="Jamaica">Jamaica</option><option value="Japan">Japan</option><option value="Jordan">Jordan</option><option value="Kazakhstan">Kazakhstan</option><option value="Kenya">Kenya</option><option value="Kiribati">Kiribati</option><option value="Korea, Democratic People&#039;s Republic of(North Korea)">Korea, Democratic People&#039;s Republic of(North Korea)</option><option value="Korea, Republic of">Korea, Republic of</option><option value="Kosovo">Kosovo</option><option value="Kuwait">Kuwait</option><option value="Kyrgyzstan">Kyrgyzstan</option><option value="Lao People&#039;s Democratic Republic">Lao People&#039;s Democratic Republic</option><option value="Latvia">Latvia</option><option value="Lebanon">Lebanon</option><option value="Lesotho">Lesotho</option><option value="Liberia">Liberia</option><option value="Libya">Libya</option><option value="Liechtenstein">Liechtenstein</option><option value="Lithuania">Lithuania</option><option value="Luxembourg">Luxembourg</option><option value="Macau">Macau</option><option value="Macedonia, Rep. of">Macedonia, Rep. of</option><option value="Madagascar">Madagascar</option><option value="Malawi">Malawi</option><option value="Malaysia">Malaysia</option><option value="Maldives">Maldives</option><option value="Mali">Mali</option><option value="Malta">Malta</option><option value="Marshall Islands">Marshall Islands</option><option value="Mauritania">Mauritania</option><option value="Mauritius">Mauritius</option><option value="Mexico">Mexico</option><option value="Micronesia, Federal States of">Micronesia, Federal States of</option><option value="Moldova">Moldova</option><option value="Monaco">Monaco</option><option value="Mongolia">Mongolia</option><option value="Montenegro">Montenegro</option><option value="Morocco">Morocco</option><option value="Mozambique">Mozambique</option><option value="Myanmar, Burma">Myanmar, Burma</option><option value="Namibia">Namibia</option><option value="Nauru">Nauru</option><option value="Nepal">Nepal</option><option value="Netherlands">Netherlands</option><option value="New Caledonia">New Caledonia</option><option value="New Zealand">New Zealand</option><option value="Nicaragua">Nicaragua</option><option value="Niger">Niger</option><option value="Nigeria">Nigeria</option><option value="Norway">Norway</option><option value="Oman">Oman</option><option value="Pakistan">Pakistan</option><option value="Palau">Palau</option><option value="Palestinian territories">Palestinian territories</option><option value="Panama">Panama</option><option value="Papua New Guinea">Papua New Guinea</option><option value="Paraguay">Paraguay</option><option value="Peru">Peru</option><option value="Philippines">Philippines</option><option value="Poland">Poland</option><option value="Portugal">Portugal</option><option value="Puerto Rico">Puerto Rico</option><option value="Qatar">Qatar</option><option value="Romania">Romania</option><option value="Russian Federation">Russian Federation</option><option value="Rwanda">Rwanda</option><option value="Saint Kitts and Nevis">Saint Kitts and Nevis</option><option value="Saint Lucia">Saint Lucia</option><option value="Saint Vincent and the Grenadines">Saint Vincent and the Grenadines</option><option value="Samoa">Samoa</option><option value="San Marino">San Marino</option><option value="Sao Tome and Principe">Sao Tome and Principe</option><option value="Saudi Arabia">Saudi Arabia</option><option value="Senegal">Senegal</option><option value="Serbia">Serbia</option><option value="Seychelles">Seychelles</option><option value="Sierra Leone">Sierra Leone</option><option value="Singapore">Singapore</option><option value="Slovakia">Slovakia</option><option value="Slovenia">Slovenia</option><option value="Solomon Islands">Solomon Islands</option><option value="Somalia">Somalia</option><option value="South Africa">South Africa</option><option value="South Sudan">South Sudan</option><option value="Spain">Spain</option><option value="Sri Lanka">Sri Lanka</option><option value="Sudan">Sudan</option><option value="Suriname">Suriname</option><option value="Swaziland">Swaziland</option><option value="Sweden">Sweden</option><option value="Switzerland">Switzerland</option><option value="Syria, Syrian Arab Republic">Syria, Syrian Arab Republic</option><option value="Taiwan">Taiwan</option><option value="Tajikistan">Tajikistan</option><option value="Tanzania">Tanzania</option><option value="Thailand">Thailand</option><option value="Tibet">Tibet</option><option value="Togo">Togo</option><option value="Tonga">Tonga</option><option value="Trinidad and Tobago">Trinidad and Tobago</option><option value="Tunisia">Tunisia</option><option value="Turkey">Turkey</option><option value="Turkmenistan">Turkmenistan</option><option value="Tuvalu">Tuvalu</option><option value="Uganda">Uganda</option><option value="Ukraine">Ukraine</option><option value="United Arab Emirates">United Arab Emirates</option><option value="United Kingdom">United Kingdom</option><option value="Uruguay">Uruguay</option><option value="Uzbekistan">Uzbekistan</option><option value="Vanuatu">Vanuatu</option><option value="Vatican City State (Holy See)">Vatican City State (Holy See)</option><option value="Venezuela">Venezuela</option><option value="Vietnam">Vietnam</option><option value="Yemen">Yemen</option><option value="Zambia">Zambia</option><option value="Zimbabwe">Zimbabwe</option></select></span></p>
<div data-id="group-570" data-orig_data_id="group-570" data-clear_on_hide data-class="wpcf7cf_group">
 <span class="wpcf7-form-control-wrap mx_State"><select name="mx_State" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value="">Select State</option><option value="Alabama">Alabama</option><option value="Alaska">Alaska</option><option value="American Samoa">American Samoa</option><option value="Arizona">Arizona</option><option value="Arkansas">Arkansas</option><option value="California">California</option><option value="Colorado">Colorado</option><option value="Connecticut">Connecticut</option><option value="Delaware">Delaware</option><option value="District of Columbia">District of Columbia</option><option value="Florida">Florida</option><option value="Georgia">Georgia</option><option value="Guam">Guam</option><option value="Hawaii">Hawaii</option><option value="Idaho">Idaho</option><option value="Illinois">Illinois</option><option value="Indiana">Indiana</option><option value="Iowa">Iowa</option><option value="Kansas">Kansas</option><option value="Kentucky">Kentucky</option><option value="Louisiana">Louisiana</option><option value="Maine">Maine</option><option value="Maryland">Maryland</option><option value="Massachusetts">Massachusetts</option><option value="Michigan">Michigan</option><option value="Minnesota">Minnesota</option><option value="Mississippi">Mississippi</option><option value="Missouri">Missouri</option><option value="Montana">Montana</option><option value="Nebraska">Nebraska</option><option value="Nevada">Nevada</option><option value="New Hampshire">New Hampshire</option><option value="New Jersey">New Jersey</option><option value="New Mexico">New Mexico</option><option value="New York">New York</option><option value="North Carolina">North Carolina</option><option value="North Dakota">North Dakota</option><option value="Northern Mariana Islands">Northern Mariana Islands</option><option value="Ohio">Ohio</option><option value="Oklahoma">Oklahoma</option><option value="Oregon">Oregon</option><option value="Pennsylvania">Pennsylvania</option><option value="Puerto Rico">Puerto Rico</option><option value="Rhode Island">Rhode Island</option><option value="South Carolina">South Carolina</option><option value="South Dakota">South Dakota</option><option value="Tennessee">Tennessee</option><option value="Texas">Texas</option><option value="United States Minor Outlying Islands">United States Minor Outlying Islands</option><option value="Utah">Utah</option><option value="Vermont">Vermont</option><option value="Virgin Islands">Virgin Islands</option><option value="Virginia">Virginia</option><option value="Washington">Washington</option><option value="West Virginia">West Virginia</option><option value="Wisconsin">Wisconsin</option><option value="Wyoming">Wyoming</option></select></span>
</div>
</div>
<div class="cf-field cf-field-left">
<span class="cf-label">Phone</span><br />
<span class="wpcf7-form-control-wrap mx_phone"><input type="tel" name="mx_phone" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-tel wpcf7-validates-as-required wpcf7-validates-as-tel w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<input type="hidden" name="form-title" value="" class="wpcf7-form-control wpcf7-hidden form-title" />
<div class="cf-field">
<input type="submit" value="Submit" class="wpcf7-form-control has-spinner wpcf7-submit btn btn-primary" />
</div>
<p><script>
document.addEventListener( 'wpcf7mailsent', function( event ) {
 window.dataLayer.push({
 "event" : "request-submission",
 "formId" : event.detail.contactFormId,
 "response" : event.detail.inputs
 })
}); 
</script></p>
<div class="wpcf7-response-output" aria-hidden="true"></div></form></div></div>



<script type="application/ld+json">
{
  "@context": "https://schema.org",
  "@type": "Article",
  "mainEntityOfPage": {
    "@type": "WebPage",
    "@id": "https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/"
  },
  "headline": "ELF Malware Analysis 101: Part 3 &#8211; Advanced Analysis",
  "image": "https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/06/shutterstock_282380951-1-1024x475.jpg",  
  "author": {
    "@type": "Organization",
    "name": "Intezer"
  },  
  "publisher": {
    "@type": "Organization",
    "name": "Intezer",
    "logo": {
      "@type": "ImageObject",
      "url": "https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/02/Round-Logo-60x60.jpg",
      "width": 50,
      "height": 50
    }
  },
  "datePublished": "2021-02-17"
}
</script>





	<div id="primary" class="content-area">
	    <div class="container">
		    <div class="single-post-page">
				<h1 class="entry-title t-dianne">ELF Malware Analysis 101: Part 3 - Advanced Analysis</h1><div class="row top-meta"><div class="col-md-12"><div class="author-box clearfix"><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/06/IMG_20200610_100615-60x60.jpg" class="user-photo"><div class="user-bio"><span class="author-light">Written by </span><span class="author-name"> Avigayil Mechtinger</span><span class="author-date"> - 17 February 2021</span></div></div></div><div class="main-blog-image"><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/06/shutterstock_282380951-1-1024x475.jpg" class="featured-img"></div></div><div class="row blog-cont"><div class="col-md-2 blog-side"><div class="blog-side-subscribe"><div role="form" class="wpcf7" id="wpcf7-f15120-o2" lang="en-US" dir="ltr">
<div class="screen-reader-response"><p role="status" aria-live="polite" aria-atomic="true"></p> <ul></ul></div>
<form action="/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/#wpcf7-f15120-o2" method="post" class="wpcf7-form init" novalidate="novalidate" data-status="init">
<div style="display: none;">
<input type="hidden" name="_wpcf7" value="15120" />
<input type="hidden" name="_wpcf7_version" value="5.5.6" />
<input type="hidden" name="_wpcf7_locale" value="en_US" />
<input type="hidden" name="_wpcf7_unit_tag" value="wpcf7-f15120-o2" />
<input type="hidden" name="_wpcf7_container_post" value="0" />
<input type="hidden" name="_wpcf7_posted_data_hash" value="" />
<input type="hidden" name="_wpcf7cf_hidden_group_fields" value="" />
<input type="hidden" name="_wpcf7cf_hidden_groups" value="" />
<input type="hidden" name="_wpcf7cf_visible_groups" value="" />
<input type="hidden" name="_wpcf7cf_repeaters" value="[]" />
<input type="hidden" name="_wpcf7cf_steps" value="{}" />
<input type="hidden" name="_wpcf7cf_options" value="{&quot;form_id&quot;:15120,&quot;conditions&quot;:[{&quot;then_field&quot;:&quot;group-570&quot;,&quot;and_rules&quot;:[{&quot;if_field&quot;:&quot;mx_Country&quot;,&quot;operator&quot;:&quot;equals&quot;,&quot;if_value&quot;:&quot;United States&quot;}]}],&quot;settings&quot;:{&quot;animation&quot;:&quot;yes&quot;,&quot;animation_intime&quot;:200,&quot;animation_outtime&quot;:200,&quot;conditions_ui&quot;:&quot;normal&quot;,&quot;notice_dismissed&quot;:false,&quot;notice_dismissed_rollback-cf7-5.5.3&quot;:true,&quot;notice_dismissed_rollback-cf7-5.5.4&quot;:true}}" />
<input type="hidden" name="_wpcf7_recaptcha_response" value="" />
</div>
<div class="form-header"></div>
<div class="cf-field cf-field-left cf-fname">
<span class="cf-label">First Name</span><br />
<span class="wpcf7-form-control-wrap FirstName"><input type="text" name="FirstName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required fname w-98" aria-required="true" aria-invalid="false" placeholder="First Name" /></span>
</div>
<div class="cf-field cf-lname">
<span class="cf-label">Last Name</span><br />
<span class="wpcf7-form-control-wrap LastName"><input type="text" name="LastName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" placeholder="Last Name" /></span>
</div>
<div class="cf-field cf-field-left cf-title">
<span class="cf-label">Job Title</span><br />
<span class="wpcf7-form-control-wrap JobTitle"><input type="text" name="JobTitle" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" placeholder="Job Title" /></span>
</div>
<div class="cf-field cf-company">
<span class="cf-label">Company</span><br />
<span class="wpcf7-form-control-wrap Company"><input type="text" name="Company" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required company" aria-required="true" aria-invalid="false" placeholder="Company" /></span>
</div>
<div class="cf-field cf-field-left">
<span class="cf-label">Business Email</span><br />
<span class="wpcf7-form-control-wrap EmailAddress"><input type="email" name="EmailAddress" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-email wpcf7-validates-as-required wpcf7-validates-as-email email" aria-required="true" aria-invalid="false" placeholder="Business Email" /></span>
</div>
<div class="cf-field">
<span class="cf-label">Country</span><br />
<span class="wpcf7-form-control-wrap mx_Country"><select name="mx_Country" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value="">Country</option><option value="United States">United States</option><option value="Canada">Canada</option><option value="Afghanistan">Afghanistan</option><option value="Albania">Albania</option><option value="Algeria">Algeria</option><option value="Andorra">Andorra</option><option value="Angola">Angola</option><option value="Antigua and Barbuda">Antigua and Barbuda</option><option value="Argentina">Argentina</option><option value="Armenia">Armenia</option><option value="Aruba">Aruba</option><option value="Australia">Australia</option><option value="Austria">Austria</option><option value="Azerbaijan">Azerbaijan</option><option value="Bahamas">Bahamas</option><option value="Bahrain">Bahrain</option><option value="Bangladesh">Bangladesh</option><option value="Barbados">Barbados</option><option value="Belarus">Belarus</option><option value="Belgium">Belgium</option><option value="Belize">Belize</option><option value="Benin">Benin</option><option value="Bermuda">Bermuda</option><option value="Bhutan">Bhutan</option><option value="Bolivia">Bolivia</option><option value="Bosnia and Herzegovina">Bosnia and Herzegovina</option><option value="Botswana">Botswana</option><option value="Brazil">Brazil</option><option value="Brunei">Brunei</option><option value="Bulgaria">Bulgaria</option><option value="Burkina Faso">Burkina Faso</option><option value="Burundi">Burundi</option><option value="Cambodia">Cambodia</option><option value="Cameroon">Cameroon</option><option value="Cape Verde">Cape Verde</option><option value="Cayman Islands">Cayman Islands</option><option value="Central African Republic">Central African Republic</option><option value="Chad">Chad</option><option value="Chile">Chile</option><option value="China">China</option><option value="Colombia">Colombia</option><option value="Comoros">Comoros</option><option value="Democratic Republic of the Congo (Kinshasa)">Democratic Republic of the Congo (Kinshasa)</option><option value="Congo, Republic of(Brazzaville)">Congo, Republic of(Brazzaville)</option><option value="Costa Rica">Costa Rica</option><option value="Croatia">Croatia</option><option value="Cuba">Cuba</option><option value="Cyprus">Cyprus</option><option value="Czechia">Czechia</option><option value="Denmark">Denmark</option><option value="Djibouti">Djibouti</option><option value="Dominica">Dominica</option><option value="Dominican Republic">Dominican Republic</option><option value="East Timor (Timor-Leste)">East Timor (Timor-Leste)</option><option value="Ecuador">Ecuador</option><option value="Egypt">Egypt</option><option value="El Salvador">El Salvador</option><option value="Equatorial Guinea">Equatorial Guinea</option><option value="Eritrea">Eritrea</option><option value="Estonia">Estonia</option><option value="Ethiopia">Ethiopia</option><option value="Fiji">Fiji</option><option value="Finland">Finland</option><option value="France">France</option><option value="Gabon">Gabon</option><option value="Gambia">Gambia</option><option value="Georgia">Georgia</option><option value="Germany">Germany</option><option value="Ghana">Ghana</option><option value="Gibraltar">Gibraltar</option><option value="Greece">Greece</option><option value="Grenada">Grenada</option><option value="Guatemala">Guatemala</option><option value="Guinea">Guinea</option><option value="Guinea-Bissau">Guinea-Bissau</option><option value="Guyana">Guyana</option><option value="Haiti">Haiti</option><option value="Honduras">Honduras</option><option value="Hong Kong">Hong Kong</option><option value="Hungary">Hungary</option><option value="Iceland">Iceland</option><option value="India">India</option><option value="Indonesia">Indonesia</option><option value="Iran, Islamic Republic of">Iran, Islamic Republic of</option><option value="Iraq">Iraq</option><option value="Ireland">Ireland</option><option value="Israel">Israel</option><option value="Italy">Italy</option><option value="Ivory Coast">Ivory Coast</option><option value="Jamaica">Jamaica</option><option value="Japan">Japan</option><option value="Jordan">Jordan</option><option value="Kazakhstan">Kazakhstan</option><option value="Kenya">Kenya</option><option value="Kiribati">Kiribati</option><option value="Korea, Democratic People&#039;s Republic of(North Korea)">Korea, Democratic People&#039;s Republic of(North Korea)</option><option value="Korea, Republic of">Korea, Republic of</option><option value="Kosovo">Kosovo</option><option value="Kuwait">Kuwait</option><option value="Kyrgyzstan">Kyrgyzstan</option><option value="Lao People&#039;s Democratic Republic">Lao People&#039;s Democratic Republic</option><option value="Latvia">Latvia</option><option value="Lebanon">Lebanon</option><option value="Lesotho">Lesotho</option><option value="Liberia">Liberia</option><option value="Libya">Libya</option><option value="Liechtenstein">Liechtenstein</option><option value="Lithuania">Lithuania</option><option value="Luxembourg">Luxembourg</option><option value="Macau">Macau</option><option value="Macedonia, Rep. of">Macedonia, Rep. of</option><option value="Madagascar">Madagascar</option><option value="Malawi">Malawi</option><option value="Malaysia">Malaysia</option><option value="Maldives">Maldives</option><option value="Mali">Mali</option><option value="Malta">Malta</option><option value="Marshall Islands">Marshall Islands</option><option value="Mauritania">Mauritania</option><option value="Mauritius">Mauritius</option><option value="Mexico">Mexico</option><option value="Micronesia, Federal States of">Micronesia, Federal States of</option><option value="Moldova, Republic of">Moldova, Republic of</option><option value="Monaco">Monaco</option><option value="Mongolia">Mongolia</option><option value="Montenegro">Montenegro</option><option value="Morocco">Morocco</option><option value="Mozambique">Mozambique</option><option value="Myanmar, Burma">Myanmar, Burma</option><option value="Namibia">Namibia</option><option value="Nauru">Nauru</option><option value="Nepal">Nepal</option><option value="Netherlands">Netherlands</option><option value="New Caledonia">New Caledonia</option><option value="New Zealand">New Zealand</option><option value="Nicaragua">Nicaragua</option><option value="Niger">Niger</option><option value="Nigeria">Nigeria</option><option value="Norway">Norway</option><option value="Oman">Oman</option><option value="Pakistan">Pakistan</option><option value="Palau">Palau</option><option value="Palestinian territories">Palestinian territories</option><option value="Panama">Panama</option><option value="Papua New Guinea">Papua New Guinea</option><option value="Paraguay">Paraguay</option><option value="Peru">Peru</option><option value="Philippines">Philippines</option><option value="Poland">Poland</option><option value="Portugal">Portugal</option><option value="Puerto Rico">Puerto Rico</option><option value="Qatar">Qatar</option><option value="Romania">Romania</option><option value="Russian Federation">Russian Federation</option><option value="Rwanda">Rwanda</option><option value="Saint Kitts and Nevis">Saint Kitts and Nevis</option><option value="Saint Lucia">Saint Lucia</option><option value="Saint Vincent and the Grenadines">Saint Vincent and the Grenadines</option><option value="Samoa">Samoa</option><option value="San Marino">San Marino</option><option value="Sao Tome and Principe">Sao Tome and Principe</option><option value="Saudi Arabia">Saudi Arabia</option><option value="Senegal">Senegal</option><option value="Serbia">Serbia</option><option value="Seychelles">Seychelles</option><option value="Sierra Leone">Sierra Leone</option><option value="Singapore">Singapore</option><option value="Slovakia">Slovakia</option><option value="Slovenia">Slovenia</option><option value="Solomon Islands">Solomon Islands</option><option value="Somalia">Somalia</option><option value="South Africa">South Africa</option><option value="South Sudan">South Sudan</option><option value="Spain">Spain</option><option value="Sri Lanka">Sri Lanka</option><option value="Sudan">Sudan</option><option value="Suriname">Suriname</option><option value="Swaziland">Swaziland</option><option value="Sweden">Sweden</option><option value="Switzerland">Switzerland</option><option value="Syria, Syrian Arab Republic">Syria, Syrian Arab Republic</option><option value="Taiwan">Taiwan</option><option value="Tajikistan">Tajikistan</option><option value="Tanzania; officially the United Republic of Tanzania">Tanzania; officially the United Republic of Tanzania</option><option value="Thailand">Thailand</option><option value="Tibet">Tibet</option><option value="Togo">Togo</option><option value="Tonga">Tonga</option><option value="Trinidad and Tobago">Trinidad and Tobago</option><option value="Tunisia">Tunisia</option><option value="Turkey">Turkey</option><option value="Turkmenistan">Turkmenistan</option><option value="Tuvalu">Tuvalu</option><option value="Uganda">Uganda</option><option value="Ukraine">Ukraine</option><option value="United Arab Emirates">United Arab Emirates</option><option value="United Kingdom">United Kingdom</option><option value="Uruguay">Uruguay</option><option value="Uzbekistan">Uzbekistan</option><option value="Vanuatu">Vanuatu</option><option value="Vatican City State (Holy See)">Vatican City State (Holy See)</option><option value="Venezuela">Venezuela</option><option value="Viet Nam">Viet Nam</option><option value="Yemen">Yemen</option><option value="Zambia">Zambia</option><option value="Zimbabwe">Zimbabwe</option></select></span></p>
<div data-id="group-570" data-orig_data_id="group-570" data-clear_on_hide data-class="wpcf7cf_group">
 <span class="wpcf7-form-control-wrap mx_State"><select name="mx_State" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value="">Select State</option><option value="Alabama">Alabama</option><option value="Alaska">Alaska</option><option value="American Samoa">American Samoa</option><option value="Arizona">Arizona</option><option value="Arkansas">Arkansas</option><option value="California">California</option><option value="Colorado">Colorado</option><option value="Connecticut">Connecticut</option><option value="Delaware">Delaware</option><option value="District of Columbia">District of Columbia</option><option value="Florida">Florida</option><option value="Georgia">Georgia</option><option value="Guam">Guam</option><option value="Hawaii">Hawaii</option><option value="Idaho">Idaho</option><option value="Illinois">Illinois</option><option value="Indiana">Indiana</option><option value="Iowa">Iowa</option><option value="Kansas">Kansas</option><option value="Kentucky">Kentucky</option><option value="Louisiana">Louisiana</option><option value="Maine">Maine</option><option value="Maryland">Maryland</option><option value="Massachusetts">Massachusetts</option><option value="Michigan">Michigan</option><option value="Minnesota">Minnesota</option><option value="Mississippi">Mississippi</option><option value="Missouri">Missouri</option><option value="Montana">Montana</option><option value="Nebraska">Nebraska</option><option value="Nevada">Nevada</option><option value="New Hampshire">New Hampshire</option><option value="New Jersey">New Jersey</option><option value="New Mexico">New Mexico</option><option value="New York">New York</option><option value="North Carolina">North Carolina</option><option value="North Dakota">North Dakota</option><option value="Northern Mariana Islands">Northern Mariana Islands</option><option value="Ohio">Ohio</option><option value="Oklahoma">Oklahoma</option><option value="Oregon">Oregon</option><option value="Pennsylvania">Pennsylvania</option><option value="Puerto Rico">Puerto Rico</option><option value="Rhode Island">Rhode Island</option><option value="South Carolina">South Carolina</option><option value="South Dakota">South Dakota</option><option value="Tennessee">Tennessee</option><option value="Texas">Texas</option><option value="United States Minor Outlying Islands">United States Minor Outlying Islands</option><option value="Utah">Utah</option><option value="Vermont">Vermont</option><option value="Virgin Islands">Virgin Islands</option><option value="Virginia">Virginia</option><option value="Washington">Washington</option><option value="West Virginia">West Virginia</option><option value="Wisconsin">Wisconsin</option><option value="Wyoming">Wyoming</option></select></span>
</div>
</div>
<input type="hidden" name="form-title" value="" class="wpcf7-form-control wpcf7-hidden form-title" />
<div class="cf-field cf-submit">
<input type="submit" value="Subscribe" class="wpcf7-form-control has-spinner wpcf7-submit btn btn-primary" />
</div>
<div class="wpcf7-response-output" aria-hidden="true"></div></form></div><div class="side-blog-btn side-blog-btn-simple"><div>Get Free Account</div><a href="//analyze.intezer.com" class="btn btn-prim dodger blog-side-cta">Get started</a></div><div class="side-blog-btn side-blog-btn-fancy"><a class="blog-side-join blog-side-cta" href="https://analyze.intezer.com/"><img src="/wp-content/uploads/2022/03/intezer-cube.png"/><h3>Get Free Account</h3><div class="join-btn">Join Now</div></a></div><div class="side-blog-share"">Share article<div class="a2a_kit a2a_kit_size_ addtoany_list" data-a2a-url="https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/" data-a2a-title="ELF Malware Analysis 101: Part 3 – Advanced Analysis"><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fmalware-analysis%2Felf-malware-analysis-101-part-3-advanced-analysis%2F&amp;linkname=ELF%20Malware%20Analysis%20101%3A%20Part%203%20%E2%80%93%20Advanced%20Analysis" title="Facebook" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/facebook.png" alt="Facebook"></a><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fmalware-analysis%2Felf-malware-analysis-101-part-3-advanced-analysis%2F&amp;linkname=ELF%20Malware%20Analysis%20101%3A%20Part%203%20%E2%80%93%20Advanced%20Analysis" title="Twitter" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/twitter.png" alt="Twitter"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fmalware-analysis%2Felf-malware-analysis-101-part-3-advanced-analysis%2F&amp;linkname=ELF%20Malware%20Analysis%20101%3A%20Part%203%20%E2%80%93%20Advanced%20Analysis" title="LinkedIn" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/linkedin.png" alt="LinkedIn"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fmalware-analysis%2Felf-malware-analysis-101-part-3-advanced-analysis%2F&amp;linkname=ELF%20Malware%20Analysis%20101%3A%20Part%203%20%E2%80%93%20Advanced%20Analysis" title="Reddit" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/reddit.png" alt="Reddit"></a><a class="a2a_button_copy_link" href="https://www.addtoany.com/add_to/copy_link?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fmalware-analysis%2Felf-malware-analysis-101-part-3-advanced-analysis%2F&amp;linkname=ELF%20Malware%20Analysis%20101%3A%20Part%203%20%E2%80%93%20Advanced%20Analysis" title="Copy Link" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/link.png" alt="Copy Link"></a></div></div>        <div class="top-posts">
            <h3>Top Blogs</h3>
            <div class="top-posts-cont owl-carousel"  id="owlposts" >
                    	    <div class="related-single item">
					<h4>
                        <a href="https://www.intezer.com/blog/malware-analysis/teamtnt-cryptomining-explosion/">TeamTNT Cryptomining Explosion &#x1f9e8;</a>
                    </h4>
				                    <span class="post-excerpt">This post was originally published as a white paper in September 2021. Get the full...</span>	
                    <a href="https://www.intezer.com/blog/malware-analysis/teamtnt-cryptomining-explosion/" class="top-more">Read more</a>
        		</div>
        	        	    <div class="related-single item">
					<h4>
                        <a href="https://www.intezer.com/blog/product-updates/automatically-scan-urls-and-analyze-malware/">Beyond Files: Automate URL Analysis with Intezer Analyze</a>
                    </h4>
				                    <span class="post-excerpt">As part of our ongoing effort to allow you to investigate any security incident, we...</span>	
                    <a href="https://www.intezer.com/blog/product-updates/automatically-scan-urls-and-analyze-malware/" class="top-more">Read more</a>
        		</div>
        	        	    <div class="related-single item">
					<h4>
                        <a href="https://www.intezer.com/blog/malware-analysis/save-incident-response-time-intezer-analyze/">3 Ways to Save Incident Response Time</a>
                    </h4>
				                    <span class="post-excerpt">Save time during incident response with these tips and tools to help your team accelerate...</span>	
                    <a href="https://www.intezer.com/blog/malware-analysis/save-incident-response-time-intezer-analyze/" class="top-more">Read more</a>
        		</div>
        	            </div>
        </div>
<link rel="stylesheet" href="/wp-content/themes/intezer-v2/css/owl.carousel.min.css">
<script type="text/javascript" src="/wp-content/themes/intezer-v2/js/owl.carousel.min.js"></script>
 <script type="text/javascript">

     $(document).ready(function() {
	 
  $("#owlposts").owlCarousel({
            items: 1,
            loop: true,
	  dots: true,
            center: true,
            margin: 0,
            rewind: false,
            autoplay: true,
            autoplayTimeout: 6000,
	  animateIn: 'fadeIn',
              animateOut: 'fadeOut',
      responsive:{
        0:{
            items:1
        },
        600:{
            items:1
        }
      },
      onInitialized:setDots,
      onChanged:setDots

        });
		 });




			       
	</script>
</div></div><div class="col-md-9 blog-main"><div class="single-post-content"><h2 style="color: #627d98; font-size: 28px;">Getting Caught Up to Speed</h2>
<p>So far in this series we have profiled the <a href="https://www.intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought/">ELF threat landscape</a> and covered the most common intrusion vectors seen in Linux systems. We also pursued <a href="https://www.intezer.com/blog/linux/elf-malware-analysis-101-initial-analysis/">initial ELF analysis</a> with an emphasis on static analysis. We learned about the different artifacts and components that are relevant for initial analysis and how they can help us gather immediate insights about a file. <strong>In Part 3, we will take the next step and dynamically analyze ELF malware</strong>.</p>



<p>While static analysis is performed without execution, dynamic analysis gives us an understanding of how a file interacts with the operating system at runtime. Insights about file behavior help us better assess the potential impact of the malware and gather additional indicators that can help us paint the bigger picture (C&amp;C for instance). Dynamic analysis also allows us to collect further <a href="https://www.intezer.com/blog/malware-analysis/new-feature-get-more-context-for-your-analysis-with-ttps/">Tactics, Techniques, and Procedures (TTPs)</a> that can be attributed to specific malicious tools and threat actors.</p>



<p>Static and dynamic analysis are complementary. The information gathered during initial analysis will accelerate the dynamic analysis process.</p>
<h2 style="color: #627d98; font-size: 28px;">Agenda</h2>
<p>After reading this article you will be able to understand which insights can be extracted during ELF runtime and what tools can help you do so.</p>
<p>

</p>
<p>The following subjects will be covered in this article:</p>
<p>

</p>
<ol style="color: #627d98;">
<li>Linux Processes</li>
<li>ELF Syscalls</li>
<li>Persistence Methods</li>
<li>Network Sniffing</li>
<li>Sandboxes</li>
</ol>
<p>

</p>
<p>After covering our dynamic analysis toolset, we will put them to use by practicing on a real sample found in the wild.</p>
<h2 style="color: #627d98; font-size: 28px;">Analysis Environment Preparations</h2>
<p>Before we get started, let’s prep your Linux VM (virtual machine). If you don’t have a Linux VM, follow <a href="https://itsfoss.com/install-linux-in-virtualbox/" target="”_blank”" rel="noopener">this guide</a> to install one.</p>
<p>

</p>
<p>Needless to say, running malware should only be done in isolated environments such as VMs. Even when using a VM the malware can cause harm, not only to your system but also to other machines over the internet. For example, running a worm can spread it over the network (see <a href="https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/">New Golang Worm Drops XMRig Miner on Servers</a>). Running ransomware or stealers can encrypt and/or collect information from your VM, including files located on the shared folders with your host.</p>
<p>

</p>
<p>Make sure that before you run a malware your virtual environment meets the following criteria:</p>
<p>

</p>
<ol style="color: #627d98;">
<li><strong>Your machine host name and user name are generic</strong>. Run <strong>uname  -n</strong> to see the host name of your machine, and run <strong>getent passwd {1000..60000}</strong> to list all human usernames on the machine.</li>
<li><strong>Your IP is not easily trackable</strong>. Blurring your public IP can be done in several ways:
<ol type="a">
<li><strong>Basic</strong>: Use a <a href="https://cybernews.com/best-vpn/" target="”_blank”" rel="noopener">VPN service</a> on your host machine during dynamic analysis. The traffic from your VM should be tunneled through your host. Verify your public IP from within the VM by running a command such as: curl &#8216;https://api.ipify.org’. There are various free VPN programs you can use such as <a href="https://openvpn.net/" target="”_blank”" rel="noopener">OpenVPN</a>.</li>
<li><strong>Advanced:</strong> Use a second VM as a router that tunnels traffic, via Tor for instance. Establishing that, you can route the entire network from your malware analysis VM through the router VM.</li>
</ol>
<p>Note that you can always disconnect your machine from the internet and start the dynamic analysis with no network connection as a first step.</p>
</li>
</ol>
<ol style="color: #627d98;" start="3" type="3">
<li><strong>Your machine is clean from private information.</strong> Make sure that you don’t have any passwords, API keys, etc. written on the machine.</li>
<li><strong>Disable shared folder and shared clipboard before running the malware.</strong></li>
</ol>
<p>

</p>
<h2 style="color: #627d98; font-size: 28px;">Setting Up SSH Connection</h2>
<p>Use SSH to transfer files from your machine (host) to your VM (guest). Follow these steps to establish connection:</p>
<p>

</p>
<ol style="color: #627d98;">
<li>Install <a href="https://www.openssh.com/" target="”_blank”" rel="noopener">OpenSSH </a>on your VM: <br /><strong><em>sudo apt-get update</em></strong> <br /><strong><em>sudo apt-get install -y  openssh-server</em></strong></li>
<li>Shut down your VM.</li>
</ol>
<center><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-21.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-21.png?is-pending-load=1" srcset="" class=" jetpack-lazy-image"><noscript><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-21.png" /></noscript></center>
<ol style="color: #627d98;" start="3" type="1">
<li style="list-style-type: none;">
<ol style="color: #627d98;" start="3" type="1">
<li>Go to Settings &gt; Network.
<ol type="a">
<li>Adapter 1 should be set to NAT:</li>
</ol>
</li>
</ol>
</li>
</ol>
<p><br /><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-18.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-18.png?is-pending-load=1" srcset="" class=" jetpack-lazy-image"><noscript><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-18.png" /></noscript></p>
<ol style="color: #627d98;" start="3" type="1">
<li style="list-style-type: none;">
<ol type="a">
<li>Add a second adapter: Choose “Host-only Adapter” and apply changes.</li>
</ol>
</li>
</ol>
<p>

</p>
<figure class="wp-block-image"></figure>
<center><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-14.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-14.png?is-pending-load=1" srcset="" class=" jetpack-lazy-image"><noscript><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-14.png" /></noscript></center>
<p>



</p>
<ol style="color: #627d98;" start="4" type="1">
<li>Go to Settings &gt; System &gt; Motherboard and make sure these entries are enabled:</li>
</ol>
<p>

</p>
<figure class="wp-block-image"></figure>
<center><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-5.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-5.png?is-pending-load=1" srcset="" class=" jetpack-lazy-image"><noscript><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-5.png" /></noscript></center>
<p>

</p>
<ol style="color: #627d98;" start="5" type="1">
<li>Start your VM and get the LAN IP address of the VM instance. Run <strong>ip addr show</strong>.</li>
</ol>
<p>

</p>
<figure class="wp-block-image"></figure>
<p><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-2.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-2.png?is-pending-load=1" srcset="" class=" jetpack-lazy-image"><noscript><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-2.png" /></noscript>

</p>
<ol style="color: #627d98;" start="6" type="1">
<li style="list-style-type: none;">
<ol style="color: #627d98;" start="6" type="1">
<li>Make sure the OpenSSH service is active on the VM by running: <strong>sudo service ssh status</strong>.</li>
</ol>
</li>
</ol>
<ol style="color: #627d98;" start="6" type="1">
<li>You should now be able to connect from your host to the guest machine via SSH. Using <strong>scp</strong> command you can copy files and directories from your host machine to the VM. Run on your host: <br /><strong>scp -r \my\host\path VM-username@/path/to/whereyouwant/thefile</strong></li>
</ol>
<h2 style="color: #627d98; font-size: 28px;">Linux Processes</h2>
<p>Every instance of a running program on the system is a process. Each process has its unique process ID. You can see all of your processes by running <strong>ps aux</strong><strong>. </strong>The <a href="https://man7.org/linux/man-pages/man1/ps.1.html" target="”_blank”" rel="noopener">ps</a> command displays information about the process that ran at the exact time you ran the ps command. To see an ongoing repetitive output use <a href="https://man7.org/linux/man-pages/man1/top.1.html" target="”_blank”" rel="noopener">top</a>.</p>
<p>

</p>
<figure class="wp-block-image"></figure>
<center><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-12.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-12.png?is-pending-load=1" srcset="" class=" jetpack-lazy-image"><noscript><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-12.png" /></noscript>


<p><em>Figure 1: </em><em><strong>ps aux</strong></em><em> output</em></p>
</center>
<p>

</p>
<h2 style="color: #627d98; font-size: 18px;">The proc Filesystem</h2>
<p>The “proc” filesystem is a pseudo-filesystem provided by the Linux kernel. It provides an interface to kernel data structures which includes information about all currently running processes. It will commonly be mounted under the /proc directory. Each process has its own directory under /proc and the directory name is the process ID.</p>
<p>

</p>
<p>To get a better understanding of the proc directory, open two terminals on your Linux VM and run <em><strong>ping 8.8.8.8</strong></em> on one of them. On the second terminal, run <em><strong>pidof ping</strong></em> to retrieve ping’s process ID. <br /><br />Let’s review the process directory by browsing the /proc/PID directory and running <em><strong>ls</strong></em>. You can see that it has different directories and files. All process directories share the same structure, filenames and directories. Figure 2 describes the flow above.</p>
<p>

</p>
<figure class="wp-block-image"></figure>
<center><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-9.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-9.png?is-pending-load=1" srcset="" class=" jetpack-lazy-image"><noscript><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-9.png" /></noscript>


<p><em>Figure 2: Retrieving ping’s process ID and the process directory content</em></p>
</center>
<p>

</p>
<p>The following are some interesting files that will be present under every process directory:</p>
<p><strong>cmdline </strong>&#8211; command line arguments that ran the file.</p>
<p><strong>status </strong>&#8211; process status in human readable form.</p>
<p><strong>maps </strong>&#8211; memory maps regions and their access permissions.</p>
<p><strong>exe</strong> &#8211; symbolic link containing the pathname of the executed command. Attempting to open it will open the executable. Try running <strong>sha256sum exe</strong> and sha256sum on the ping file: <strong>sha256sum $(which ping)</strong>. You will see they match.</p>
<p>

</p>
<p>After you kill the ping process, you will see the /proc/PID directory no longer exists.</p>
<p>

</p>
<p>Browse <a href="https://man7.org/linux/man-pages/man5/proc.5.html" target="”_blank”" rel="noopener">here</a> for more information about the proc file system.</p>
<h2 style="color: #627d98; font-size: 18px;">Process Tree</h2>
<p>The process tree structure can give you insights about what is running on a machine before diving into specific processes.</p>
<p>A single executable can create more than one process on the machine. Let’s emphasize that by using the <em><strong>pstree </strong></em>command to view the running processes as a tree. The following are some examples of what the process tree will look like for each scenario:</p>
<p>

</p>
<ol style="color: #627d98;">
<li><strong>Other process creation</strong>: A process can call other processes. Let’s compile a simple program that runs a ping command via bash and name it <strong>ping-google-dns</strong>:


<figure class="wp-block-image"></figure>
<center><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-22.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-22.png?is-pending-load=1" srcset="" class=" jetpack-lazy-image"><noscript><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-22.png" /></noscript>


<p><em>Figure 3: </em><em><strong>ping-google-dns</strong></em><em> source code</em></p>
</center>


<p>Let’s run the program and on another terminal run <em><strong>pstree | grep ping-google-dns</strong></em>:</p>



<figure class="wp-block-image"></figure>
<center><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-16.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-16.png?is-pending-load=1" srcset="" class=" jetpack-lazy-image"><noscript><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-16.png" /></noscript>


<p><em>Figure 4: Process tree created by </em><em><strong>ping-google-dns</strong></em></p>
</center>


<p>We ran the <strong>ping-google-dns</strong> program from a terminal (<strong>bash</strong> process) which called <strong>sh </strong>binary (a command language interpreter) that called the <strong>ping </strong>binary.</p>
</li>
</ol>
<p>

</p>
<ol style="color: #627d98;" start="2" type="1">
<li><strong>Forks</strong>: fork() creates a new, duplicate process of the called process. The new process is called a child process and it will have a different process ID than its parent. Let’s re-compile the <strong>ping-google-dns</strong> source code, this time with the addition of a fork() call.


<figure class="wp-block-image"></figure>
<center><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-19.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-19.png?is-pending-load=1" srcset="" class=" jetpack-lazy-image"><noscript><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-19.png" /></noscript>


<p><em>Figure 5: </em><em><strong>ping-google-dns</strong></em><em> source code</em></p>
</center>


<p>Let’s run the program and on another terminal run <em><strong>pstree | grep ping-google-dns</strong></em>.</p>



<p>Figure 6 shows what the process tree looks like with one fork call. You will see in the screenshot below that the same program has two process IDs.</p>
</li>
</ol>
<p>

</p>
<figure class="wp-block-image"></figure>
<center><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-7.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-7.png?is-pending-load=1" srcset="" class=" jetpack-lazy-image"><noscript><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-7.png" /></noscript>


<p><em>Figure 6: Process tree created by </em><em><strong>ping-google-dns</strong></em></p>
</center>
<p>

</p>
<ol style="color: #627d98;" start="3" type="1">
<li><strong>Threads</strong>: Threads provide multiple executions within the program. A process thread will not create a new process ID. Let’s compile this code that runs three threads as <strong>print-something </strong>(the compiled file can be downloaded from <a href="https://github.com/intezer/ELF-Malware-Analysis-101/raw/master/Part-3-Advanced-Analysis/Article-samples/print-something" target="”_blank”" rel="noopener">here</a>).</li>
</ol>
<p>

</p>
<figure class="wp-block-image"></figure>
<center><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-15.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-15.png?is-pending-load=1" srcset="" class=" jetpack-lazy-image"><noscript><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-15.png" /></noscript>


<p><em>Figure 7: </em><em><strong>print-something </strong></em><em>source code</em></p>
</center>
<p>

</p>
<p>Now let’s run the program and run <em><strong>pstree | grep print-something </strong></em>on another terminal. Figure 8 emphasizes what the process tree of a program that runs with three threads will look like.</p>
<p>

</p>
<figure class="wp-block-image"></figure>
<center><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-11.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-11.png?is-pending-load=1" srcset="" class=" jetpack-lazy-image"><noscript><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-11.png" /></noscript>


<p><em>Figure 8: Process tree created by </em><em><strong>print-something</strong></em></p>
</center>
<p>

</p>
<h2 style="color: #627d98; font-size: 20px;">Process Monitoring Tools</h2>
<p><a href="https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite" target="”_blank”" rel="noopener">Sysinternals Suite</a> provides convenient GUIs for monitoring all processes that are running on a Windows machine (among other things). Microsoft’s <a href="https://github.com/Sysinternals/ProcMon-for-Linux/" target="”_blank”" rel="noopener">ProcMon-for-Linux</a> based on <a href="https://docs.microsoft.com/en-us/sysinternals/downloads/procmon" target="”_blank”" rel="noopener">ProcMon</a> and Intezer’s <a href="https://github.com/intezer/linux-explorer" target="”_blank”" rel="noopener">Linux Expl0rer</a> inspired by <a href="https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer" target="”_blank”" rel="noopener">ProcExp</a>, are intuitive solutions for Linux process tracking.</p>
<p>

</p>
<h2 style="color: #627d98; font-size: 28px;">System Calls</h2>
<p>Only the kernel can perform changes outside of the process&#8217;s own memory space. The process must ask the kernel to perform tasks such as creating files or writing output. This is where system calls come into play.</p>
<p>

</p>
<p><a href="https://man7.org/linux/man-pages/man2/syscalls.2.html" target="”_blank”" rel="noopener">Syscalls</a> (system calls) are the interface used by the application to request services from the kernel. Syscalls are usually invoked via glibc wrappers and not directly to the kernel because of portability. The low level syscalls differ between architectures which is why glibc handles these differences instead of the developer.</p>
<p>

</p>
<p><strong>Syscalls are an interface</strong><strong> that the malware must pass through in order to cause actual harm to the system</strong><strong>. Analyzing syscalls can help us understand how the file interacts with the system and how it operates behind the scenes.</strong></p>
<p>

</p>
<p><em><a href="https://man7.org/linux/man-pages/man1/strace.1.html" target="”_blank”" rel="noopener">strace</a></em> is a powerful tool to trace a file’s system calls. Run <em><strong>strace whoami</strong></em> on your Linux VM and take a look at the output. Each row in the strace output is a syscall, and the first syscall will be <em><strong>execve</strong></em> which stands for execute program. Each system call has a return value that varies between calls. It can be a file descriptor (integer) or 0 on success, -1 on error and more.</p>
<p>

</p>
<p>These are some interesting syscalls we will look for by analyzing the strace output:</p>
<p>

</p>
<p><strong>open/openat</strong> &#8211; open and possibly create a file.</p>
<p style="color: #627d98;"><strong>read </strong>&#8211; read from a file descriptor.</p>
<p>

</p>
<p><strong>access</strong> &#8211; check user&#8217;s permissions for a file.</p>
<p>

</p>
<p><strong>write</strong> &#8211; write to a file descriptor.</p>
<p>

</p>
<p><strong>mkdir/mkdirat</strong> &#8211; make directories.</p>
<p>

</p>
<p><strong>connect</strong> &#8211; initiate a connection on a socket.</p>
<p>

</p>
<p><strong>socket</strong> &#8211; create an endpoint for communication.</p>
<p>

</p>
<p><strong>execve</strong> &#8211; execute program.</p>
<p>

</p>
<p>Let’s try it ourselves. Run the <a href="https://github.com/intezer/ELF-Malware-Analysis-101/raw/master/Part-3-Advanced-Analysis/Article-samples/trace-me" target="”_blank”" rel="noopener">trace-me</a> file on your VM using strace. Use the -o flag to save the command output: <em><strong>strace -o out.txt ./trace-me</strong></em>:</p>
<p>

</p>
<figure class="wp-block-image"></figure>
<center><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-23.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-23.png?is-pending-load=1" srcset="" class=" jetpack-lazy-image"><noscript><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-23.png" /></noscript>


<p><em>Figure 9: </em><em><strong>trace-me</strong></em><em> output</em></p>
</center>
<p>

</p>
<p>Now, let’s read the strace output to see what happened on the system. Run <em><strong>cat out.txt</strong></em>:</p>
<p>

</p>
<figure class="wp-block-image"></figure>
<center><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-13.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-13.png?is-pending-load=1" srcset="" class=" jetpack-lazy-image"><noscript><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-13.png" /></noscript>


<p><em>Figure 10: </em><em><strong>strace </strong></em><em>output</em></p>
</center>
<p>

</p>
<p>You will see the file creates the<strong> .tomato</strong> directory under <strong>tmp </strong>directory, and creates a file <br /><strong>answer.txt</strong> inside this directory. If you look carefully on the flow, you can see the return value of <strong>openat </strong>for the anser.txt file is 3, which is the file descriptor. Then, <strong>write </strong>syscall<strong>, “I was created!!” </strong>uses the file descriptor 3 as an input. This means that this text is written to the answer.txt.</p>
<p><strong><u>Tips</u>:</strong></p>
<ol style="color: #627d98;">


<li>In most cases the syscalls output will be much bigger than the last example. It is recommended to always save the strace output to a text (<em><strong>strace -o out.txt ./file)</strong></em>. Make sure that you have a convenient text editor such as <a href="https://www.sublimetext.com/docs/3/linux_repositories.html" target="”_blank”" rel="noopener">Sublime Text</a> that will help you analyze the large text file.</li>
<li>To gain full visibility on all syscalls of the processes created by the file, including forks, you can run <strong>strace</strong> with the fork flag -f (<em><strong>strace -f ./file</strong></em><em>).</em></li>
<li>The default strings length is 32. Use the -v (verbose) and -s (string size) flags to see more characters (<strong>strace -v -s 150 ./file</strong>).</li>
<li>To reduce noise, you can choose which syscalls will be presented on strace output using the -e flag. For example, if you are searching for network-related calls together with read and write calls, you can run <strong>strace -e network,read,write ./file</strong>.</li>
</ol>
<p>

</p>
<p><a href="https://man7.org/linux/man-pages/man2/syscalls.2.html" target="”_blank”" rel="noopener">Learn more about syscalls</a></p>
<p><a id="contentbanneranalyzemiddle" href="https://analyze.intezer.com/create-account?banner=contentbanneranalyzemiddle"><img loading="lazy" class="aligncenter wp-image-12309 size-full jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/09/AnalyzeA_750_80.png" data-slb-group="post-images" alt width="750" height="80" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/09/AnalyzeA_750_80.png 750w, https://www.intezer.com/wp-content/uploads/2020/09/AnalyzeA_750_80-300x32.png 300w" data-lazy-sizes="(max-width: 750px) 100vw, 750px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/09/AnalyzeA_750_80.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" class="aligncenter wp-image-12309 size-full" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/09/AnalyzeA_750_80.png" alt="" width="750" height="80" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/09/AnalyzeA_750_80.png 750w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/09/AnalyzeA_750_80-300x32.png 300w " sizes="(max-width: 750px) 100vw, 750px" /></noscript></a></p>
<h2 style="color: #627d98; font-size: 28px;">Persistence</h2>
<p>Once a malware finds its way into a compromised system, it will often attempt to achieve persistence in order to survive reboot. Another reason why malware developers add persistence capabilities is to harden removal efforts, which is also attempted by other malware families in order to gain a foothold on already compromised systems. This is more common among CoinMiners, which will search for other known Miners on a compromised machine and attempt to kill them, to be the only CoinMiner running on the system and ultimately win the machine’s resources. See <a href="https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html" target="”_blank”" rel="noopener">War of Linux Cryptocurrency Miners: A Battle for Resources</a>.</p>
<p>

</p>
<p><strong>Detecting persistence methods is important for understanding how to respond to malware on a </strong><strong>compromised </strong><strong>machine. </strong><strong>Killing the process is not always enough to mitigate the threat, the persistence methods should be cleared as well.</strong></p>
<p>

</p>
<p>These are the most common persistence methods used by Linux malware:</p>
<p>

</p>
<ol style="color: #627d98;">
<li><strong><a href="https://attack.mitre.org/techniques/T1053/003/" target="”_blank”" rel="noopener">Cron</a></strong> &#8211; Malware will create scheduled tasks to run periodically on a system using cron jobs. <a href="https://man7.org/linux/man-pages/man5/crontab.5.html" target="”_blank”" rel="noopener">crontab</a> and <a href="https://linux.die.net/man/5/anacrontab" target="”_blank”" rel="noopener">anacrontab</a> are the configuration files used for <a href="https://linux.die.net/man/8/cron" target="”_blank”" rel="noopener">cron</a> and <a href="https://linux.die.net/man/8/anacron" target="”_blank”" rel="noopener">anacron </a>services which are in charge of executing scheduled tasks. The malware will write registries to the configuration files which are located under: /etc/crontab, /var/spool/cron/, /etc/cron.d/, /etc/anacrontab, /var/spool/anacron/. 


The following <a href="https://twitter.com/IntezerLabs/status/1334147151329435650" target="”_blank”" rel="noopener">XMRig Miner dropper</a> uses crontab as one of its persistence methods. Figure 11 emphasizes what a crontab registry looks like:</li>
</ol>
<p>

</p>
<figure class="wp-block-image"></figure>
<center><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-17.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-17.png?is-pending-load=1" srcset="" class=" jetpack-lazy-image"><noscript><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-17.png" /></noscript>


<p><em>Figure 11: crontab registry written by a malware</em></p>
</center>
<p>

</p>
<p><strong>Note:</strong> Running crontab -l will list the existing cron jobs per user. Using root privileges, you can either run <em><strong>crontab -l -u &lt;user&gt;</strong></em> or <em><strong>cat /var/spool/cron/crontabs/&lt;user&gt;</strong></em> for specific users. To view the cron jobs for all users, run <em><strong>cd /var/spool/cron/crontabs/ &amp;&amp; grep </strong></em><em><strong>. *</strong></em></p>
<p>

</p>
<ol style="color: #627d98;" start="2" type="1">
<li><strong><a href="https://attack.mitre.org/techniques/T1053/006/" target="”_blank”" rel="noopener">Services</a></strong> &#8211; Linux has initialization scripts that are used to start services on system boot. The program in charge of starting the rest of the system will run as PID 1 (you can explore your /proc/1 directory). Malware will often attempt to gain persistence by creating a service which will run by the init program on boot. The init program varies between Linux distributions and versions, however, systemd is most common these days. rc.d and init.d are older init services which are still used in certain Linux distributions. <a href="https://www.tecmint.com/systemd-replaces-init-in-linux/" target="”_blank”" rel="noopener">Learn more about why init.d was replaced by systemd</a>
<p>The service will commonly be found under the following paths: /etc/systemd/system/, ~/.config/systemd, /etc/rc.d/, /etc/init.d/.</p>



<p><a href="https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/">IPStorm</a> Linux version is an example of a malware that gained persistence by creating a service under /etc/systemd/system/storm.service. Figure 12 emphasizes the structure of a systemd service file.</p>
</li>
</ol>
<p>

</p>
<figure class="wp-block-image"></figure>
<center><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-10.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-10.png?is-pending-load=1" srcset="" class=" jetpack-lazy-image"><noscript><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-10.png" /></noscript>


<p><em>Figure 12: storm.service content</em></p>
</center>
<p>

</p>
<ol style="color: #627d98;" start="3" type="1">
<li><strong><a href="https://attack.mitre.org/techniques/T1546/004/" target="”_blank”" rel="noopener">Event Triggered Executions</a></strong> &#8211; Once a user logs in or a new shell session is created, Linux will automatically launch executables by using configuration files. These configuration files are bash scripts which can be edited to trigger a malware. Files locations: /etc/profile.d, /etc/profile, /etc/bash.bashrc, ∼/.bashrc, ∼/.bash_profile, ~/.bash_login, ~/.profile. <a href="https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat" target="”_blank”" rel="noopener">Linux Rabbit</a> is a malware that uses the .bashrc to set up persistence.</li>
</ol>
<p>

</p>
<ol style="color: #627d98;" start="4" type="1">
<li><strong><a href="https://attack.mitre.org/techniques/T1547/" target="”_blank”" rel="noopener">Graphical Desktop Autostarts</a></strong> &#8211; Similar to event triggered executions, once a user logs in via a graphical desktop environment such as GNOME or KDE, Linux will automatically search for desktop entries to execute applications on startup. A generic location for desktop entries is under ∼/.config/autostart/. Other possible locations include:
~/.kde/Autostart,~/.kde/share/autostart, ~/.kde4/Autostart, /usr/share/autostart/, /etc/xdg/autostart/. The autostart service will have a .desktop suffix. This persistence method is relevant for malware that targets endpoints.


<a href="https://twitter.com/AbbyMCH/status/1346470180247937027" target="”_blank”" rel="noopener">ElectroRAT’s</a> Linux version gains persistence by creating a desktop entry under ~/.config/autostart/mdworker.desktop.</li>
</ol>
<p>

</p>
<ol style="color: #627d98;" start="5" type="1">
<li><strong><a href="https://attack.mitre.org/techniques/T1547/006/" target="”_blank”" rel="noopener">Loadable Kernel Modules (LKM)</a></strong> &#8211; The Linux kernel is designed to allow loading of external pieces of code called kernel modules. Kernel modules are automatically loaded on system boot. Because the Linux kernel runs as root, and the modules can be loaded dynamically (using <a href="https://linux.die.net/man/8/modprobe" target="”_blank”" rel="noopener">modprobe</a> or <a href="https://linux.die.net/man/8/insmod" target="”_blank”" rel="noopener">insmod</a>) with no need to reboot the system, this method is commonly used for rootkits as well.
Malware that attempts to gain persistence via this method will create malicious kernel modules that will be loaded to the kernel and run on boot. The location of the kernel modules is under: /lib/modules/$(uname -r). By running <strong>lsmod</strong> you can see what kernel modules are currently loaded.</li>
</ol>
<p>

</p>
<ol style="color: #627d98;" start="6" type="1">
<li><strong><a href="https://attack.mitre.org/techniques/T1574/006/" target="”_blank”" rel="noopener">Hijack Execution Flow</a></strong><a href="https://attack.mitre.org/techniques/T1574/006/"> &#8211;</a> Dynamically linked binaries use shared libraries during runtime (in the previous article we explained the differences between dynamically and statically linked files). These libraries are loaded by the dynamic linker which searches for libraries on absolute paths and common directories. LD_PRELOAD is an optional environmental variable containing paths to shared libraries or objects. The dynamic linker will load the libraries in LD_PRELOAD before loading any other shared library (including libc).
Malware developers can set LD_PRELOAD to point to malicious libraries. Once a dynamically linked binary is executed on a compromised machine, it will load the malicious library too.
<a href="https://www.intezer.com/blog/linux/hiddenwasp-malware-targeting-linux-systems/">HiddenWasp</a> is a malware that uses LD_PRELOAD for persistence.</li>
</ol>
<p>

</p>
<p>To summarize this section, there are different startup locations which can be used as persistence methods for malware. However, the most commonly used methods are services and cron jobs.</p>
<p>

</p>
<p><strong><u>Tip</u>:</strong> A convenient way to check if a malware attempts to gain persistence is by analyzing the syscalls (strace output) and searching for known methods. For example, you can run <em><strong>cat strace_output.txt | grep cron </strong></em>to search for any interaction with the cron process.</p>
<p>

</p>
<h2 style="color: #627d98; font-size: 28px;">Network Sniffing</h2>
<p>So far we covered how to monitor a file’s activity internally on the system. You can understand if a malware interacts with a C&amp;C or external services by analyzing network-related syscalls such as <a href="https://man7.org/linux/man-pages/man2/socket.2.html" target="”_blank”" rel="noopener">socket</a> and <a href="https://man7.org/linux/man-pages/man2/connect.2.html" target="”_blank”" rel="noopener">connect</a>. However, syscalls are not the way to go for network monitoring. You should use a packet sniffing and network monitoring tool to analyze the traffic. The most popular tools for this purpose are <a href="https://www.tcpdump.org/" target="”_blank”" rel="noopener">tcpdump</a> and <a href="https://www.wireshark.org/" target="”_blank”" rel="noopener">Wireshark</a>, both based on libpcap. tcpdump is a CLI tool that should be preinstalled on commonly used Linux distributions. Wireshark has similar functionalities to tcpdump and provides a convenient GUI.</p>
<p>

</p>
<p>To install Wireshark on your VM run the following commands:</p>
<p>

</p>
<p><strong>sudo add-apt-repository ppa:wireshark-dev/stable <br />sudo apt install -y wireshark <br />sudo wireshark</strong></p>
<p>

</p>
<p><strong><u>Tip</u>:</strong> Make sure to run Wireshark before running the file you are analyzing so that you won’t miss any packets related to the malware.</p>
<h2 style="color: #627d98; font-size: 28px;">Sandboxes</h2>
<p>Sandboxes can accelerate analysis by providing context about the file’s behavior on a machine without the hassle of opening a VM, running the malware and relevant tools. They will not always replace a hands-on, deep dive analysis of a VM, but sandboxes help you pinpoint interesting behaviors while saving you time.</p>
<p>

</p>
<p>Here are some relevant tools:</p>
<p>

</p>
<ol style="color: #627d98;">
<li><a href="https://www.hybrid-analysis.com/" target="”_blank”" rel="noopener">Hybrid-Analysis </a>&#8211; Online</li>
<li><a href="https://tria.ge/dashboard" target="”_blank”" rel="noopener">Hatching-Triage</a> &#8211; Online</li>
<li><a href="https://github.com/danieluhricek/LiSa" target="”_blank”" rel="noopener">LiSa </a> &#8211; Open-source</li>
</ol>
<h2 style="color: #627d98; font-size: 28px;">Real Life Example</h2>
<p>Let’s practice your dynamic analysis skills! We will begin with <a href="https://www.intezer.com/blog/linux/elf-malware-analysis-101-initial-analysis/">initial analysis</a> to gather insights and then proceed to dynamic analysis. Our mission is 1. Understand how the file behaves and 2. See how dynamic analysis tools come in handy.</p>
<p><a href="https://github.com/intezer/ELF-Malware-Analysis-101/raw/master/Part-3-Advanced-Analysis/Real-life-example/337674d6349c21d3c66a4245c82cb454fea1c4e9c9d6e3578634804793e3a6d6.sample" target="”_blank”" rel="noopener">Our test sample? This ELF malware found in the wild.</a></p>
<p>

</p>
<p>A quick side note. Uploading this file to <a href="https://analyze.intezer.com/files/337674d6349c21d3c66a4245c82cb454fea1c4e9c9d6e3578634804793e3a6d6" target="”_blank”" rel="noopener">Intezer Analyze</a> classifies it as Reekoobe, based on code reused from previous Rekoobe samples. We will analyze the file manually for practice anyway.</p>
<p><a href="https://analyze.intezer.com/files/337674d6349c21d3c66a4245c82cb454fea1c4e9c9d6e3578634804793e3a6d6" target="_blank" rel="noopener"><img class="wp-image-15156 aligncenter jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-25.png" data-slb-group="post-images" alt="pasted image 0 6" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-25.png?is-pending-load=1" srcset=""><noscript><img class="wp-image-15156 aligncenter" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-25.png" alt="pasted image 0 6" /></noscript></a></p>
<p>Step one, download/copy the <a href="https://github.com/intezer/ELF-Malware-Analysis-101/raw/master/Part-3-Advanced-Analysis/Real-life-example/337674d6349c21d3c66a4245c82cb454fea1c4e9c9d6e3578634804793e3a6d6.sample" target="”_blank”" rel="noopener">sample</a> to your VM. Make sure:</p>
<p>

</p>
<ol style="color: #627d98;">
<li>Your environment is prepared based on the Analysis Environment Preparation section.</li>
<li>You have a clean snapshot of your VM with the relevant tools. In this example we will be using Wireshark and Sublime Text editor. Other tools should be preinstalled on the machine.</li>
</ol>
<p>

</p>
<p>Let’s begin with static analysis and try to read the file’s symbols to see if there are any human readable function names. Run <em><strong>readelf -s sample. </strong></em>There is no output for the command, which means the file has been stripped.</p>
<p>

</p>
<p>Let’s read the file’s program headers by running <em><strong>readelf -l sample</strong></em>. The following image shows the command’s output:</p>
<p>

</p>
<figure class="wp-block-image"></figure>
<center><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-4.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-4.png?is-pending-load=1" srcset="" class=" jetpack-lazy-image"><noscript><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-4.png" /></noscript>


<p><em>Figure 13: Sample’s program headers </em></p>
</center>
<p>

</p>
<p>We can tell the file is statically linked because there is no dynamic symbols table or dynamic program header.</p>
<p>

</p>
<p>Let’s run the strings command on the file. Because the file is statically linked you should expect to see a large number of strings related to libc. Figure 14 is a snippet of the <a href="https://linux.die.net/man/1/strings" target="”_blank”" rel="noopener">strings</a> commands output:</p>
<p>

</p>
<figure class="wp-block-image"></figure>
<center><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-1.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-1.png?is-pending-load=1" srcset="" class=" jetpack-lazy-image"><noscript><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-1.png" /></noscript>


<p><em>Figure 14: Snippet from </em><em><strong>strings</strong> output</em></p>
</center>
<p>

</p>
<p>The strings snippet is a big indicator that the file will attempt to create a service to gain persistence. “systemctl enable likemae” and other strings can help us understand that the service name will be <strong>likemae</strong>. Another interesting string is c[.]linux-hosts[.]com which could be the C&amp;C.</p>
<p>

</p>
<p><strong>Now that we have gathered enough information in the initial analysis step, let’s proceed to dynamic analysis.</strong></p>
<p>

</p>
<p>First, prepare a running program of Wireshark and then run the sample with strace: <strong>sudo strace -f</strong><strong> -o out.txt ./sample</strong>. We will analyze this malware as if it ran with a privileged user to see its full capabilities.</p>
<p>

</p>
<p>Open the out.txt with a convenient text editor such as Sublime Text. The following snippet shows the beginning of the strace output:</p>
<p>

</p>
<figure class="wp-block-image"></figure>
<center><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-24.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-24.png?is-pending-load=1" srcset="" class=" jetpack-lazy-image"><noscript><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-24.png" /></noscript>


<p><em>Figure 15: Snippet from strace output</em></p>
</center>
<p>

</p>
<p>Analyzing syscalls from the snippet, it’s clear that this malware checks for the existence of likemae.service with the <strong>access </strong>syscall. The return value is -1 because the service doesn&#8217;t yet exist on the machine. The malware renames the file and locates it under <strong>/usr/bin/likemae</strong> using the <strong>rename </strong>syscall. Next, using the <strong>open </strong>syscall, the malware creates <strong>likemae.service</strong> and writes to it.</p>
<p>

</p>
<p>Let’s view the service’s full content:</p>
<p>

</p>
<figure class="wp-block-image"></figure>
<center><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-8.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-8.png?is-pending-load=1" srcset="" class=" jetpack-lazy-image"><noscript><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-8.png" /></noscript>


<p><em>Figure 16: </em><em><strong>likemae.service</strong></em><em> content </em></p>
</center>
<p>

</p>
<p>You can also use <strong>grep</strong> to find interesting syscalls. Run <em><strong>cat out.txt | grep exe</strong></em> to see all executions created by the malware.</p>
<p>

</p>
<figure class="wp-block-image"></figure>
<p><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-6.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-6.png?is-pending-load=1" srcset="" class=" jetpack-lazy-image"><noscript><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-6.png" /></noscript>

</p>
<p>The malware made sure that the likemae service would run. Check that the service is indeed active on your machine by running<em><strong> systemctl | grep likemae</strong></em>.</p>
<p>

</p>
<figure class="wp-block-image"></figure>
<center><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-26.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-26.png?is-pending-load=1" srcset="" class=" jetpack-lazy-image"><noscript><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-26.png" /></noscript>


<p><em>Figure 17: </em><em><strong>likemae </strong></em><em>service is active</em></p>
</center>
<p>

</p>
<p>So far, you know the malware created persistence on the machine using the service creation method and copied itself to the <strong>/user/bin/likmae</strong>. You can also tell the process that we ran has exited after establishing persistence. Let&#8217;s check if a process called likemae is currently running on our system. Run <strong>pstree -p | grep likemae</strong> (-p flag to retrieve the process ID).</p>
<p>

</p>
<figure class="wp-block-image"></figure>
<center><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-20.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-20.png?is-pending-load=1" srcset="" class=" jetpack-lazy-image"><noscript><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-20.png" /></noscript>


<p><em>Figure 18: </em><em><strong>likemae </strong></em><em>process is running with PID 15083</em></p>
</center>
<p>

</p>
<p>If we run <em><strong>cat /proc/1503/cmdline</strong></em>, we will see that is <strong>/bin/bash</strong>. This is because the process was triggered by the service.</p>
<p>

</p>
<p>Now that the service exists and the malware established persistence, you can expect the new malware process to perform different actions on the system. Attach strace to the likemaes’s PID by running <strong>strace -p 15083</strong>.</p>
<p>

</p>
<p>Analyzing syscalls we can understand that the process attempts to connect to the c[.]linux-hosts[.]com host and then sleeps for 30 seconds (see nanosleep syscall). The following snippet shows the connection attempt loop. You can see the syscalls that are made in order to connect to the C&amp;C.</p>
<p>

</p>
<figure class="wp-block-image"></figure>
<center><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-3.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-3.png?is-pending-load=1" srcset="" class=" jetpack-lazy-image"><noscript><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0-3.png" /></noscript>


<p><em>Figure 19: Connection attempt loop</em></p>
</center>
<p>

</p>
<p>You can view the network connection attempts in Wireshark as well.</p>
<p>

</p>
<figure class="wp-block-image"></figure>
<center><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0.png?is-pending-load=1" srcset="" class=" jetpack-lazy-image"><noscript><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/pasted-image-0.png" /></noscript>


<p><em>Figure 20: Network connection attempts in Wireshark</em></p>
</center>
<p>

</p>
<p>In Figure 20, you can see the host DNS resolution and the attempt to reach it via TCP. The TCP connection is not established, meaning the host doesn&#8217;t reply with a [SYN,ACK] packet but rather a [RST,ACK] response is sent back. The port the malware attempts to connect to on the C&amp;C is closed.</p>
<p>

</p>
<p>Because the C&amp;C is not reachable as expected, we have essentially come to a “dead end” with the dynamic analysis step. You can still explore the domain for other open ports but we will not dive into it further in this article. Nonetheless, you gained crucial insights on how the malware operates once it runs, how to detect it on compromised systems, and how to clear the malware from your system.</p>
<p>

</p>
<p><strong><u>Tip</u>: </strong>Some malware behave differently when they run as a privileged vs. an unprivileged user. The malware we have analyzed will not gain persistence if it runs as an unprivileged user. It is recommended to run the file as both privileged and unprivileged users to understand the full spectrum of its capabilities.</p>
<h2 style="color: #627d98; font-size: 28px;">Wrap-Up</h2>
<p>We reviewed ELF dynamic analysis and detailed the different components and tools relevant for this step. You learned how to gather insights about a file’s behavior using these tools. You also learned how insights gathered during initial analysis can help you focus on certain components during dynamic analysis.</p>
<p>

</p>
<p>There are certain cases where you will hit a dead end during the dynamic analysis process. The C&amp;C could be down, the malware runs on a particular environment or time zone, and more. Remember, the goal in dynamic analysis is to gather additional insights on how the malware behaves. This will help you detect the malware on compromised systems, collect indicators related to the malware such as file names, C&amp;C, persistent methods and more. This can lead you to connect the malware to other tools, campaigns and/or threat actors.</p>
<p>

</p>
<p>Dynamic analysis should be done responsibly. The safety of your system and network together with other machines should be taken into consideration when analyzing malware dynamically.</p>
<h2 style="color: #627d98; font-size: 28px;">What’s Next?</h2>
<p>Next up you will learn how to get payloads from packers and loaders by extracting memory dumps.</p>
<h2 style="color: #627d98; font-size: 28px;">Appendix</h2>
<p>These tools and commands were used or mentioned in this article:</p>
<p>

</p>
<ol style="color: #627d98;">
<li><a href="https://tria.ge/dashboard" target="”_blank”" rel="noopener">Hatching-Triage</a></li>
<li><a href="https://www.hybrid-analysis.com/" target="”_blank”" rel="noopener">Hybrid-Analysis</a></li>
<li><a href="https://www.intezer.com/intezer-analyze/" target="”_blank”" rel="noopener">Intezer Analyze</a></li>
<li><a href="https://github.com/intezer/linux-explorer" target="”_blank”" rel="noopener">Linux Expl0rer</a></li>
<li><a href="https://itsfoss.com/install-linux-in-virtualbox/" target="”_blank”" rel="noopener">Linux VM</a></li>
<li><a href="https://github.com/danieluhricek/LiSa" target="”_blank”" rel="noopener">LiSa</a></li>
<li><a href="https://www.openssh.com/" target="”_blank”" rel="noopener">OpenSSH</a></li>
<li><a href="https://man7.org/linux/man-pages/man1/pidof.1.html" target="”_blank”" rel="noopener">pidof</a></li>
<li><a href="https://github.com/microsoft/ProcMon-for-Linux" target="”_blank”" rel="noopener">ProcMon-for-Linux</a></li>
<li><a href="https://man7.org/linux/man-pages/man1/ps.1.html" target="”_blank”" rel="noopener">ps</a></li>
<li><a href="https://man7.org/linux/man-pages/man1/pstree.1.html" target="”_blank”" rel="noopener">pstree</a></li>
<li><a href="https://man7.org/linux/man-pages/man1/readelf.1.html" target="”_blank”" rel="noopener">readelf</a></li>
<li><a href="https://man7.org/linux/man-pages/man1/strace.1.html" target="”_blank”" rel="noopener">strace</a></li>
<li><a href="https://linux.die.net/man/1/strings" target="”_blank”" rel="noopener">strings</a></li>
<li><a href="https://www.sublimetext.com/docs/3/linux_repositories.html" target="”_blank”" rel="noopener">Sublime Text</a></li>
<li><a href="https://www.tcpdump.org/manpages/tcpdump.1.html" target="”_blank”" rel="noopener">tcpdump</a></li>
<li><a href="https://man7.org/linux/man-pages/man1/top.1.html" target="”_blank”" rel="noopener">top</a></li>
<li><a href="https://www.wireshark.org/" target="”_blank”" rel="noopener">Wireshark</a></li>
</ol>
<p></p>
<p><a id="contentbanneranalyzefooter" href="https://analyze.intezer.com/create-account?banner=contentbanneranalyzefooter"><img loading="lazy" width="750" height="300" class="aligncenter size-full wp-image-12310 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/09/AnalyzeA_750_300.png" data-slb-group="post-images" alt data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/09/AnalyzeA_750_300.png 750w, https://www.intezer.com/wp-content/uploads/2020/09/AnalyzeA_750_300-300x120.png 300w" data-lazy-sizes="(max-width: 750px) 100vw, 750px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/09/AnalyzeA_750_300.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="750" height="300" class="aligncenter size-full wp-image-12310" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/09/AnalyzeA_750_300.png" alt="" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/09/AnalyzeA_750_300.png 750w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/09/AnalyzeA_750_300-300x120.png 300w " sizes="(max-width: 750px) 100vw, 750px" /></noscript></a></p><div class="author-box-bottom clearfix"><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/06/IMG_20200610_100615-60x60.jpg" class="user-photo"><div class="user-bio"><strong> Avigayil Mechtinger</strong><div class="share-author"></div><p>Avigayil is a product manager at Intezer, leading Intezer Analyze product lifecycle. Prior to this role, Avigayil was part of Intezer's research team and specialized in malware analysis and threat hunting. During her time at Intezer, she has uncovered and documented different malware targeting both Linux and Windows platforms.</p></div></div><div class="post-tags"> <a href="https://www.intezer.com/tag/dfir/" rel="tag">DFIR</a> <a href="https://www.intezer.com/tag/dynamic-analysis/" rel="tag">Dynamic Analysis</a> <a href="https://www.intezer.com/tag/elf-malware/" rel="tag">ELF Malware</a> <a href="https://www.intezer.com/tag/linux/" rel="tag">Linux</a> <a href="https://www.intezer.com/tag/malware/" rel="tag">malware</a> <a href="https://www.intezer.com/tag/malware-analysis/" rel="tag">Malware Analysis</a></div><nav class="post-nav clearfix"><div class="prev-post"><a href="https://www.intezer.com/blog/malware-analysis/new-feature-get-more-context-for-your-analysis-with-ttps/" rel="prev"></a><div class="post-link clear"><h4><a href="https://www.intezer.com/blog/malware-analysis/new-feature-get-more-context-for-your-analysis-with-ttps/" rel="prev">New Feature: Get More Context for your Analysis with TTPs</a></h4></div></div><div class="next-post"><a href="https://www.intezer.com/blog/cloud-security/2020-set-record-for-new-linux-malware-families/" rel="next"></a><div class="post-link clear"><h4><a href="https://www.intezer.com/blog/cloud-security/2020-set-record-for-new-linux-malware-families/" rel="next">2020 Set a Record for New Linux Malware Families</a></h4></div></div></nav>        <div class="related-posts">
            <h3>Recommended Articles</h3>
            <ul class="row related-cont">
                    	    <li class="related-single">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/malware-analysis/teamtnt-cryptomining-explosion/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/02/BlogImage1024x475-253x139.png" alt="TeamTNT Cryptomining Explosion &#x1f9e8;" class="post-thumb" /></a>                    </span>
					                    <span class="read-time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 37</span> <span class="rt-label rt-postfix"></span></span></span>
                    <h4>
                        <a href="https://www.intezer.com/blog/malware-analysis/teamtnt-cryptomining-explosion/">TeamTNT Cryptomining Explosion &#x1f9e8;</a>
                    </h4>
					
						
				                    <span class="post-excerpt">This post was originally published as a white paper in September 2021. Get the...</span>	
                    <span class="post-date">18 February 2022</span>
        		</li>
        	        	    <li class="related-single">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/product-updates/automatically-scan-urls-and-analyze-malware/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/02/PhishingURL_BlogCover_1024x475_Part01-copy-253x139.png" alt="Beyond Files: Automate URL Analysis with Intezer Analyze" class="post-thumb" /></a>                    </span>
					                    <span class="read-time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 4</span> <span class="rt-label rt-postfix"></span></span></span>
                    <h4>
                        <a href="https://www.intezer.com/blog/product-updates/automatically-scan-urls-and-analyze-malware/">Beyond Files: Automate URL Analysis with Intezer Analyze</a>
                    </h4>
					
						
				                    <span class="post-excerpt">As part of our ongoing effort to allow you to investigate any security incident,...</span>	
                    <span class="post-date">16 February 2022</span>
        		</li>
        	        	    <li class="related-single">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/malware-analysis/save-incident-response-time-intezer-analyze/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/12/Blog-illustration-for-Nicole-253x139.png" alt="3 Ways to Save Incident Response Time" class="post-thumb" /></a>                    </span>
					                    <span class="read-time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 7</span> <span class="rt-label rt-postfix"></span></span></span>
                    <h4>
                        <a href="https://www.intezer.com/blog/malware-analysis/save-incident-response-time-intezer-analyze/">3 Ways to Save Incident Response Time</a>
                    </h4>
					
						
				                    <span class="post-excerpt">Save time during incident response with these tips and tools to help your team...</span>	
                    <span class="post-date">31 January 2022</span>
        		</li>
        	            </ul>
        </div>
</div></div><div class="col-md-1"></div></div>
		    </div>
			
		
	    </div>
		

    </div>

<script>

	
$(document).ready(function() {
	$('.form-title').val('Subscribe to Blog Side');
	    $('div.single-post-page').find('a').addClass('blog-text-link');
	 $( "div.btn-sub-show" ).click(function() {
$("div.blog-side-subscribe").addClass("show");
 
});

		
		 var blogbtn = $('div.blog-side-subscribe').offset();

    var $window = $(window);
        if ( $window.scrollTop() >= blogbtn.top - 100) {
            $("div.side-blog-btn").addClass("fixed");
            $("div.side-blog-share").addClass("fixed");
			$("div.blog-side-subscribe").addClass("fixed");
			//$("div.btn-sub-show").addClass("fixed");
        }
else if( $window.scrollTop() < blogbtn.top - 100){
          $("div.side-blog-btn").removeClass("fixed");
          $("div.side-blog-share").removeClass("fixed");
		$("div.blog-side-subscribe").removeClass("fixed");
		//$("div.btn-sub-show").removeClass("fixed");
//$("div.blog-side-subscribe").removeClass("show");
        }
    
    $window.scroll(function() {
        if ( $window.scrollTop() >= blogbtn.top - 100) {
            $("div.side-blog-btn").addClass("fixed");
            $("div.side-blog-share").addClass("fixed");
			$("div.blog-side-subscribe").addClass("fixed");
			//$("div.btn-sub-show").addClass("fixed");
        }
else if( $window.scrollTop() < blogbtn.top - 100){
          $("div.side-blog-btn").removeClass("fixed");
          $("div.side-blog-share").removeClass("fixed");
		$("div.blog-side-subscribe").removeClass("fixed");
		//$("div.btn-sub-show").removeClass("fixed");
	//$("div.blog-side-subscribe").removeClass("show");
        }
		
    });			
});  
   

    </script>
<footer>
            <div class="container">
                <div class="row">
					<div class="footer-logo-cont"><img src="https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/images/intezer-logo-b.png" alt="intezer footer logo" width="95" height="24" title="" class="footer-logo">
						<div class="social footer-right">
                            <ul>
<li><a href="https://www.youtube.com/channel/UCt5L5ztHh-C1NCKa6bKjXFQ?view_as=subscriber" target="_blank"><i class="fa fa-youtube" aria-hidden="true" title="youtube"></i></a></li>
								<li><a href="https://www.facebook.com/IntezerLabs/" target="_blank"><i class="fa fa-facebook" aria-hidden="true" title="facebook"></i></a></li>
								 <li><a href="https://www.linkedin.com/company/intezer-labs" target="_blank"><i class="fa fa-linkedin" aria-hidden="true" title="Linkedin"></i></a></li>
                                <li><a href="https://twitter.com/intezerlabs" target="_blank"><i class="fa fa-twitter" aria-hidden="true" title="twitter"></i></a></li>
 								<li><a href="https://www.intezer.com/feed/"><i class="fa fa-rss" aria-hidden="true" title="RSS"></i></a></li>
                            </ul>
                        </div>
					</div>

                    <div class="footer-left">
						
                        <ul id="menu-footer-1" class="footer-1"><li id="menu-item-20981" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-20981 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Solutions </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-1453" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-1453 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-analyze/">Analyze</a></li>
	<li id="menu-item-12276" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-12276 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-protect/">Protect</a></li>
</ul>
</li>
<li id="menu-item-213" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-213 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Learn </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-15963" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor menu-item-15963 nav-item"><a class="nav-link" href="https://www.intezer.com/blog/">Blog</a></li>
	<li id="menu-item-2061" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-2061 nav-item"><a class="nav-link" href="https://www.intezer.com/resources/">Resources</a></li>
	<li id="menu-item-15892" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-15892 nav-item"><a class="nav-link" href="https://support.intezer.com/hc/en-us">Docs &#038; API</a></li>
	<li id="menu-item-21934" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21934 nav-item"><a class="nav-link" href="https://www.intezer.com/security/">Security</a></li>
</ul>
</li>
<li id="menu-item-20982" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-20982 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Company </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-215" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-215 nav-item"><a class="nav-link" href="https://www.intezer.com/about/">About</a></li>
	<li id="menu-item-216" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-216 nav-item"><a class="nav-link" href="https://www.intezer.com/contact-us/">Contact Us</a></li>
	<li id="menu-item-7169" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7169 nav-item"><a class="nav-link" href="https://www.intezer.com/partners/">Partners</a></li>
	<li id="menu-item-7168" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7168 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-news/">News</a></li>
	<li id="menu-item-7167" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7167 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-events/">Events</a></li>
	<li id="menu-item-8418" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-8418 nav-item"><a class="nav-link" href="https://www.intezer.com/careers/">Careers</a></li>
</ul>
</li>
</ul>                    </div>
					
	
                </div>
            </div>
			
        </footer>
        <div id="credit">
            <div class="container">
                <div>
               
                © Intezer.com 2022 All rights reserved					 
                        <ul id="menu-footer-2" class="footer-2"><li id="menu-item-59" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-59"><a href="https://www.intezer.com/terms-of-use/">Terms of Use</a></li>
<li id="menu-item-222" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-privacy-policy menu-item-222"><a href="https://www.intezer.com/privacy/">Privacy Policy</a></li>
</ul>
                </div> 
						
            </div>       
        </div>

        <script type="text/javascript">
	$(window).scroll(function() {
    var nav = $('#main-menu');
    var toppopheight = $('#top-bar-spacer').height();
    var top = 140;
    if ($(window).scrollTop() >= top) {
        nav.addClass('botborder');
		nav.css({ top: toppopheight });
    } else {
        nav.removeClass('botborder');
     nav.css({ top: 0 });
    }
});
</script>
	   <link rel='stylesheet' id='elementor-frontend-legacy-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/custom-frontend-legacy.min.css?ver=3.6.3' media='all' />
<link rel='stylesheet' id='elementor-frontend-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/custom-frontend-lite.min.css?ver=1649858495' media='all' />
<link   data-wpacu-apply-media-query='screen and (min-width: 1024px)' rel='stylesheet' id='elementor-post-16929-css'  wpacu-elementor-post-16929-href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/post-16929.css?ver=1649858492' media='all' /><script>
function wpacu_elementor_post_16929_match_media(wpacu_elementor_post_16929_match_media_var) {
    if (wpacu_elementor_post_16929_match_media_var.matches) { 
        var wpacuHrefAttr = document.querySelectorAll("[wpacu-elementor-post-16929-href]")[0].getAttribute('wpacu-elementor-post-16929-href');
        document.querySelectorAll("[wpacu-elementor-post-16929-href]")[0].setAttribute('href', wpacuHrefAttr); 
    }
}
try { var wpacu_elementor_post_16929_match_media_var = window.matchMedia("screen and (min-width: 1024px)"); wpacu_elementor_post_16929_match_media(wpacu_elementor_post_16929_match_media_var); wpacu_elementor_post_16929_match_media_var.addListener(wpacu_elementor_post_16929_match_media); }
catch (wpacuError) {
	var wpacuHrefAttr = document.querySelectorAll("[wpacu-elementor-post-16929-href]")[0].getAttribute('wpacu-elementor-post-16929-href');
    document.querySelectorAll("[wpacu-elementor-post-16929-href]")[0].setAttribute('href', wpacuHrefAttr); 
}
</script>
<link rel='stylesheet' id='elementor-post-8921-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/post-8921.css?ver=1649858491' media='all' />
<link rel='stylesheet' id='elementor-pro-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/custom-pro-frontend-lite.min.css?ver=1649858497' media='all' />
<script   type='text/javascript' src='https://c0.wp.com/c/5.9.3/wp-includes/js/dist/vendor/regenerator-runtime.min.js' id='regenerator-runtime-js'></script>
<script   type='text/javascript' src='https://c0.wp.com/c/5.9.3/wp-includes/js/dist/vendor/wp-polyfill.min.js' id='wp-polyfill-js'></script>
<script type='text/javascript' id='contact-form-7-js-extra'>
/* <![CDATA[ */
var wpcf7 = {"api":{"root":"https:\/\/www.intezer.com\/wp-json\/","namespace":"contact-form-7\/v1"},"cached":"1"};
/* ]]> */
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/contact-form-7/includes/js/index.js?ver=5.5.6' id='contact-form-7-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/dynamicconditions/Public/js/dynamic-conditions-public.js?ver=1.5.2' id='dynamic-conditions-js'></script>
<script type='text/javascript' id='leadin-script-loader-js-js-extra'>
/* <![CDATA[ */
var leadin_wordpress = {"userRole":"visitor","pageType":"post","leadinPluginVersion":"8.9.22"};
/* ]]> */
</script>
<script   type='text/javascript' src='https://js.hs-scripts.com/5492986.js?integration=WordPress&#038;ver=8.9.22' async defer id='hs-script-loader'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/prismatic/lib/highlight/js/highlight-core.js?ver=3.0' id='prismatic-highlight-js'></script>
<script   type='text/javascript' id='prismatic-highlight-js-after'>
hljs.initHighlightingOnLoad();
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/tether.min.js?ver=69620a8ea322898ee44dac014d43fe0a' id='tether_js-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/bootstrap.min.js?ver=69620a8ea322898ee44dac014d43fe0a' id='bootstrap_js-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/main.js?ver=69620a8ea322898ee44dac014d43fe0a' id='intezer-main-scripts-js'></script>
<script   type='text/javascript' src='https://c0.wp.com/c/5.9.3/wp-includes/js/dist/hooks.min.js' id='wp-hooks-js'></script>
<script   type='text/javascript' id='wpdreams-ajaxsearchlite-js-before'>
window.ASL = typeof window.ASL !== 'undefined' ? window.ASL : {}; window.ASL.wp_rocket_exception = "DOMContentLoaded"; window.ASL.ajaxurl = "https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php"; window.ASL.backend_ajaxurl = "https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php"; window.ASL.js_scope = "jQuery"; window.ASL.detect_ajax = 0; window.ASL.scrollbar = true; window.ASL.js_retain_popstate = 0; window.ASL.version = 4750; window.ASL.min_script_src = ["https:\/\/www.intezer.com\/wp-content\/plugins\/ajax-search-lite\/js\/min\/jquery.ajaxsearchlite.min.js"]; window.ASL.highlight = {"enabled":false,"data":[]}; window.ASL.fix_duplicates = 1; window.ASL.analytics = {"method":0,"tracking_id":"","string":"?ajax_search={asl_term}","event":{"focus":{"active":1,"action":"focus","category":"ASL","label":"Input focus","value":"1"},"search_start":{"active":0,"action":"search_start","category":"ASL","label":"Phrase: {phrase}","value":"1"},"search_end":{"active":1,"action":"search_end","category":"ASL","label":"{phrase} | {results_count}","value":"1"},"magnifier":{"active":1,"action":"magnifier","category":"ASL","label":"Magnifier clicked","value":"1"},"return":{"active":1,"action":"return","category":"ASL","label":"Return button pressed","value":"1"},"facet_change":{"active":0,"action":"facet_change","category":"ASL","label":"{option_label} | {option_value}","value":"1"},"result_click":{"active":1,"action":"result_click","category":"ASL","label":"{result_title} | {result_url}","value":"1"}}};
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/js/min/jquery.ajaxsearchlite.min.js?ver=4.9.5' id='wpdreams-ajaxsearchlite-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/jetpack-boost/jetpack_vendor/automattic/jetpack-lazy-images/dist/intersection-observer.js?minify=false&#038;ver=d9298cd9df65ad92eff12a3a90a1a5b8' id='jetpack-lazy-images-polyfill-intersectionobserver-js'></script>
<script type='text/javascript' id='jetpack-lazy-images-js-extra'>
/* <![CDATA[ */
var jetpackLazyImagesL10n = {"loading_warning":"Images are still loading. Please cancel your print and try again."};
/* ]]> */
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/jetpack-boost/jetpack_vendor/automattic/jetpack-lazy-images/dist/lazy-images.js?minify=false&#038;ver=a902a338e584591be6603d4879c43367' id='jetpack-lazy-images-js'></script>
<script type='text/javascript' id='wpcf7cf-scripts-js-extra'>
/* <![CDATA[ */
var wpcf7cf_global_settings = {"ajaxurl":"https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php"};
/* ]]> */
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/cf7-conditional-fields/js/scripts.js?ver=2.1.2' id='wpcf7cf-scripts-js'></script>
<script   type='text/javascript' src='https://www.google.com/recaptcha/api.js?render=6LewXc8UAAAAADEYz8dYpHTk55uH2MjKqbyc1sXD&#038;ver=3.0' id='google-recaptcha-js'></script>
<script type='text/javascript' id='wpcf7-recaptcha-js-extra'>
/* <![CDATA[ */
var wpcf7_recaptcha = {"sitekey":"6LewXc8UAAAAADEYz8dYpHTk55uH2MjKqbyc1sXD","actions":{"homepage":"homepage","contactform":"contactform"}};
/* ]]> */
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/contact-form-7/modules/recaptcha/index.js?ver=5.5.6' id='wpcf7-recaptcha-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor-pro/assets/js/webpack-pro.runtime.min.js?ver=3.6.4' id='elementor-pro-webpack-runtime-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/js/webpack.runtime.min.js?ver=3.6.3' id='elementor-webpack-runtime-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/js/frontend-modules.min.js?ver=3.6.3' id='elementor-frontend-modules-js'></script>
<script   type='text/javascript' src='https://c0.wp.com/c/5.9.3/wp-includes/js/dist/i18n.min.js' id='wp-i18n-js'></script>
<script   type='text/javascript' id='wp-i18n-js-after'>
wp.i18n.setLocaleData( { 'text direction\u0004ltr': [ 'ltr' ] } );
</script>
<script   type='text/javascript' id='elementor-pro-frontend-js-translations'>
( function( domain, translations ) {
	var localeData = translations.locale_data[ domain ] || translations.locale_data.messages;
	localeData[""].domain = domain;
	wp.i18n.setLocaleData( localeData, domain );
} )( "elementor-pro", { "locale_data": { "messages": { "": {} } } } );
</script>
<script   type='text/javascript' id='elementor-pro-frontend-js-before'>
var ElementorProFrontendConfig = {"ajaxurl":"https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php","nonce":"9ee87a13bf","urls":{"assets":"https:\/\/www.intezer.com\/wp-content\/plugins\/elementor-pro\/assets\/","rest":"https:\/\/www.intezer.com\/wp-json\/"},"shareButtonsNetworks":{"facebook":{"title":"Facebook","has_counter":true},"twitter":{"title":"Twitter"},"linkedin":{"title":"LinkedIn","has_counter":true},"pinterest":{"title":"Pinterest","has_counter":true},"reddit":{"title":"Reddit","has_counter":true},"vk":{"title":"VK","has_counter":true},"odnoklassniki":{"title":"OK","has_counter":true},"tumblr":{"title":"Tumblr"},"digg":{"title":"Digg"},"skype":{"title":"Skype"},"stumbleupon":{"title":"StumbleUpon","has_counter":true},"mix":{"title":"Mix"},"telegram":{"title":"Telegram"},"pocket":{"title":"Pocket","has_counter":true},"xing":{"title":"XING","has_counter":true},"whatsapp":{"title":"WhatsApp"},"email":{"title":"Email"},"print":{"title":"Print"}},"facebook_sdk":{"lang":"en_US","app_id":""},"lottie":{"defaultAnimationUrl":"https:\/\/www.intezer.com\/wp-content\/plugins\/elementor-pro\/modules\/lottie\/assets\/animations\/default.json"}};
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor-pro/assets/js/frontend.min.js?ver=3.6.4' id='elementor-pro-frontend-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/lib/waypoints/waypoints.min.js?ver=4.0.2' id='elementor-waypoints-js'></script>
<script   type='text/javascript' src='https://c0.wp.com/c/5.9.3/wp-includes/js/jquery/ui/core.min.js' id='jquery-ui-core-js'></script>
<script   type='text/javascript' id='elementor-frontend-js-before'>
var elementorFrontendConfig = {"environmentMode":{"edit":false,"wpPreview":false,"isScriptDebug":false},"i18n":{"shareOnFacebook":"Share on Facebook","shareOnTwitter":"Share on Twitter","pinIt":"Pin it","download":"Download","downloadImage":"Download image","fullscreen":"Fullscreen","zoom":"Zoom","share":"Share","playVideo":"Play Video","previous":"Previous","next":"Next","close":"Close"},"is_rtl":false,"breakpoints":{"xs":0,"sm":480,"md":768,"lg":1140,"xl":1440,"xxl":1600},"responsive":{"breakpoints":{"mobile":{"label":"Mobile","value":767,"default_value":767,"direction":"max","is_enabled":true},"mobile_extra":{"label":"Mobile Extra","value":880,"default_value":880,"direction":"max","is_enabled":false},"tablet":{"label":"Tablet","value":1139,"default_value":1024,"direction":"max","is_enabled":true},"tablet_extra":{"label":"Tablet Extra","value":1200,"default_value":1200,"direction":"max","is_enabled":false},"laptop":{"label":"Laptop","value":1366,"default_value":1366,"direction":"max","is_enabled":false},"widescreen":{"label":"Widescreen","value":2400,"default_value":2400,"direction":"min","is_enabled":false}}},"version":"3.6.3","is_static":false,"experimentalFeatures":{"e_optimized_assets_loading":true,"e_optimized_css_loading":true,"e_font_icon_svg":true,"e_import_export":true,"e_hidden_wordpress_widgets":true,"theme_builder_v2":true,"landing-pages":true,"elements-color-picker":true,"favorite-widgets":true,"admin-top-bar":true,"page-transitions":true,"form-submissions":true,"e_scroll_snap":true},"urls":{"assets":"https:\/\/www.intezer.com\/wp-content\/plugins\/elementor\/assets\/"},"settings":{"page":[],"editorPreferences":[]},"kit":{"viewport_tablet":1139,"active_breakpoints":["viewport_mobile","viewport_tablet"],"lightbox_enable_fullscreen":"yes","lightbox_title_src":"title","lightbox_description_src":"description"},"post":{"id":16712,"title":"ELF%20Malware%20Analysis%20101%3A%20Part%203%20-%20Advanced%20Analysis","excerpt":"","featuredImage":"https:\/\/www.intezer.com\/wp-content\/uploads\/2020\/06\/shutterstock_282380951-1.jpg"}};
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/js/frontend.min.js?ver=3.6.3' id='elementor-frontend-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor-pro/assets/js/elements-handlers.min.js?ver=3.6.4' id='pro-elements-handlers-js'></script>
<script type="text/javascript" id="slb_context">/* <![CDATA[ */if ( !!window.jQuery ) {(function($){$(document).ready(function(){if ( !!window.SLB ) { {$.extend(SLB, {"context":["public","user_guest"]});} }})})(jQuery);}/* ]]> */</script>
		<script type="text/javascript">
			(function() {
			var t   = document.createElement( 'script' );
			t.type  = 'text/javascript';
			t.async = true;
			t.id    = 'gauges-tracker';
			t.setAttribute( 'data-site-id', '5fd5ade352684d3c97554910' );
			t.src = '//secure.gaug.es/track.js';
			var s = document.getElementsByTagName( 'script' )[0];
			s.parentNode.insertBefore( t, s );
			})();
		</script>
		<script src='https://stats.wp.com/e-202216.js' defer></script>
<script>
	_stq = window._stq || [];
	_stq.push([ 'view', {v:'ext',j:'1:10.9-a.5',blog:'186808338',post:'16712',tz:'-4',srv:'www.intezer.com',hp:'atomic',ac:'3'} ]);
	_stq.push([ 'clickTrackerInit', '186808338', '16712' ]);
</script>
<noscript><link rel="stylesheet" href="https://149520725.v2.pressablecdn.com/wp-content/plugins/jetpack/css/jetpack.css?ver=10.9-a.5" media="all" /></noscript>
<noscript><link   data-wpacu-apply-media-query='screen and (min-width: 1024px)' rel='stylesheet' id='elementor-post-16929-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/post-16929.css?ver=1649858492' media='all' /></noscript>
<div id="top-bar-spacer"><div id="top-bar"><span class="desktop-title">Integrate with EDRs like CrowdStrike and SentinelOne to automate alert triage & response tasks.</span><span class="mobile-title">Integrate with EDRs like CrowdStrike and SentinelOne</span>&nbsp;<a class="top-bar-link" href="https://www.intezer.com/blog/incident-response/alert-triage-edr-integrations/">Learn more</a></div></div>        
        <script type="text/javascript"> /* <![CDATA[ */ var google_conversion_id = 842858921; var google_custom_params = window.google_tag_params; var google_remarketing_only = true; /* ]]> */ </script> <script type="text/javascript" src="//www.googleadservices.com/pagead/conversion.js"> </script> <noscript> <div style="display:inline;"> <img height="1" width="1" style="border-style:none;" alt="" src="//googleads.g.doubleclick.net/pagead/viewthroughconversion/842858921/?guid=ON&amp;script=0"/> </div> </noscript>

<script type="text/javascript" id="hs-script-loader" async defer src="//js.hs-scripts.com/5492986.js"></script>

<script>
  window.addEventListener('load', function() {

    if (window.location.pathname == '/create-account/created') {
      gtag('event', 'conversion', {
        'send_to': 'AW-725468766/6LItCJ7G_awDEN6M99kC'
      });

    }



  });

</script>

    </body>
</html>
<!--
	generated 161 seconds ago
	generated in 0.982 seconds
	served from batcache in 0.002 seconds
	expires in 139 seconds
-->
